From c7e43f5ca5e51eb051d80896cc9c0224312e6116 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matja=C5=BE=20Horvat?= Date: Thu, 8 Feb 2024 10:20:39 +0100 Subject: [PATCH] Document DDoS mitigation (#3090) --- docs/admin/deployment.rst | 4 ++++ docs/admin/maintenance.rst | 13 +++++++++++++ pontoon/settings/base.py | 1 + 3 files changed, 18 insertions(+) diff --git a/docs/admin/deployment.rst b/docs/admin/deployment.rst index 0c1f56164a..02bd4e7430 100644 --- a/docs/admin/deployment.rst +++ b/docs/admin/deployment.rst @@ -72,6 +72,10 @@ you create: Set to 'gitlab' if you want to use 'GitLab' (corresponding GITLAB_* settings must be set if required). Set to 'google' if you want to use 'Google' (corresponding GOOGLE_* settings must be set). +``BLOCKED_IPS`` + A comma-separated list of IP addresses to be blocked from accessing the app, + for example because they are DDoS'ing the server. + ``CELERY_ALWAYS_EAGER`` Controls whether asynchronous tasks (mainly used during sync) are sent to Celery or executed immediately and synchronously. Set this to ``False`` on diff --git a/docs/admin/maintenance.rst b/docs/admin/maintenance.rst index 9790d4e8d2..8f0ff28d27 100644 --- a/docs/admin/maintenance.rst +++ b/docs/admin/maintenance.rst @@ -40,3 +40,16 @@ Finally, you need to simply access the worker: # Replace my-app-name with your Heroku app's name. celery --broker=`heroku config:get RABBITMQ_URL --app=my-app-name` worker + +Mitigating DDoS attacks +----------------------- +In a distributed denial-of-service attack (`DDoS`_ attack), the incoming traffic +flooding the victim originates from many different sources. This stops everyone +else from accessing the website as there is too much traffic flowing to it. + +One way to mitigate DDoS attacks is to identify the IP addresses of the +attackers and block them. Find the attacking IP addresses in the Log +Management Add-On (Papertrail) and add them to the BLOCKED_IPs config variable +in Heroku Settings. + +.. _DDoS: https://en.wikipedia.org/wiki/Denial-of-service_attack diff --git a/pontoon/settings/base.py b/pontoon/settings/base.py index 453be98510..1f45038f7a 100644 --- a/pontoon/settings/base.py +++ b/pontoon/settings/base.py @@ -267,6 +267,7 @@ def _default_from_email(): "django_ace", ) +# A list of IP addresses to be blocked from accessing the app, because they are DDoS'ing the server BLOCKED_IPS = os.environ.get("BLOCKED_IPS", "").split(",") MIDDLEWARE = (