-
Notifications
You must be signed in to change notification settings - Fork 36
Home
It should restrict DDOS attacks on HTTP level. So it proceeds HTTP request on a webserver/proxy and drops "bad" ones. It does not provide protection on lower layers (IP, TCP, ..), which should be solved elsewhere.
Because it is quite fast and nginx provides many useful functions.
Yes. It proceeds requests distribution etc. beside of just an absolute number of requests. And an algorithm can learn from a traffic.
Behavioral filtering is a buzzword, because non-behavioral approaches have no future.
ANDDOS has several "runlevels", normal and under attack basically. It's filtering strategy depends on it's runlevel. A client is defined by IP address and user_agent HTTP header (+cookie), but clients can be aggregated, when necessary (all user_agents to IP and IP to IP range potencially).
Each client is allowed to send first n requests (exclude "attack" time). And after that client can be filtered or added to a client list. I case of attack, no new clients are added to the list, but they can be removed.
Each client get his own cookie and server requires its presence (and correct value) in next requests. The goal is to stop HTTP attacks, that does not wait for a server response, as cheap as possible.