TL;DR
Your app is being hit by a Distributed Denial of Service (DDoS) attack via its APIs. This guide shows you how to quickly block malicious traffic using rate limiting, IP blocking, and web application firewalls (WAFs). These steps will help protect your servers from overload.
1. Identify the Attack
- Check Server Logs: Look for unusual patterns in your server logs – a huge number of requests from specific IPs or user agents, failed login attempts, or requests to specific API endpoints.
- Monitor Resource Usage: Use tools like
top(Linux) or Task Manager (Windows) to see if CPU, memory, or network bandwidth are spiking unexpectedly. - Analyse Traffic Patterns: Tools like Wireshark or tcpdump can help you capture and analyse network traffic for suspicious activity.
2. Implement Rate Limiting
Rate limiting restricts the number of requests a user (identified by IP address, API key, etc.) can make within a given timeframe. This prevents attackers from overwhelming your server with rapid-fire requests.
- Choose a Rate Limiting Method: Common methods include token bucket and leaky bucket algorithms.
- Configure Your Web Server/Framework: Most web servers (e.g., Nginx, Apache) and frameworks (e.g., Django, Flask, Node.js Express) have built-in rate limiting features or modules you can install.
# Example Nginx Rate Limiting limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/s; server { ... location /api/ { limit_req zone=mylimit burst=10 nodelay; ... } } - Test Your Rate Limiting: Simulate high traffic to ensure the rate limiting is working as expected.
3. Block Malicious IPs
Once you’ve identified attacking IP addresses, block them at your firewall or web server level.
- Firewall Rules: Add rules to your firewall (e.g., iptables, ufw, Windows Firewall) to drop packets from the offending IPs.
# Example iptables rule sudo iptables -A INPUT -s [attacker_ip] -j DROP - Web Server Blocking: Configure your web server (e.g., Nginx, Apache) to block requests from specific IPs.
# Example Nginx IP blocking denny [attacker_ip]; allow all; - Automated Blocking: Consider using a script or tool to automatically block IPs that exceed a certain request threshold. Be careful with this – false positives can happen!
4. Use a Web Application Firewall (WAF)
A WAF acts as a shield between your application and the internet, filtering out malicious traffic based on predefined rules.
- Choose a WAF: Popular options include Cloudflare, AWS WAF, ModSecurity.
- Configure Rules: Configure the WAF to block common DDoS attack patterns (e.g., HTTP floods, slowloris attacks). Many WAFs have pre-configured rules you can enable.
- Monitor WAF Logs: Regularly check the WAF logs for blocked requests and adjust rules as needed.
5. Consider a DDoS Protection Service
For large or sophisticated attacks, a dedicated DDoS protection service (e.g., Cloudflare, Akamai) may be necessary.
- Service Selection: Choose a provider that can handle the scale and type of attacks you anticipate.
- Configuration: Route your traffic through the DDoS protection service. They will typically filter out malicious traffic before it reaches your servers.