Skip to content

Commit

Permalink
Document DDoS mitigation
Browse files Browse the repository at this point in the history
  • Loading branch information
mathjazz committed Feb 8, 2024
1 parent 9684444 commit c699479
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 0 deletions.
4 changes: 4 additions & 0 deletions docs/admin/deployment.rst
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@ you create:
Set to 'gitlab' if you want to use 'GitLab' (corresponding GITLAB_* settings must be set if required).
Set to 'google' if you want to use 'Google' (corresponding GOOGLE_* settings must be set).

``BLOCKED_IPS``
A comma-separated list of IP addresses to be blocked from accessing the app,
because they are DDoS'ing the server.

``CELERY_ALWAYS_EAGER``
Controls whether asynchronous tasks (mainly used during sync) are sent to
Celery or executed immediately and synchronously. Set this to ``False`` on
Expand Down
13 changes: 13 additions & 0 deletions docs/admin/maintenance.rst
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,16 @@ Finally, you need to simply access the worker:
# Replace my-app-name with your Heroku app's name.
celery --broker=`heroku config:get RABBITMQ_URL --app=my-app-name` worker
Mitigating DDoS attacks
-----------------------
In a distributed denial-of-service attack (`DDoS`_ attack), the incoming traffic
flooding the victim originates from many different sources. This stops everyone
else from accessing the website as there is too much traffic flowing to it.

One way to mitigate DDoS attacks is to identify the IP addresses of the
attackers and block them. Find the attacking IP addresses in the Log
Management Add-On (Papertrail) and add them to the BLOCKED_IPs config variable
in Heroku Settings.

.. _DDoS: https://en.wikipedia.org/wiki/Denial-of-service_attack
1 change: 1 addition & 0 deletions pontoon/settings/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,7 @@ def _default_from_email():
"django_ace",
)

# A list of IP addresses to be blocked from accessing the app, because they are DDoS'ing the server
BLOCKED_IPS = os.environ.get("BLOCKED_IPS", "").split(",")

MIDDLEWARE = (
Expand Down

0 comments on commit c699479

Please sign in to comment.