How to mitigate Layer 7 attacks?

Question

Hi HN,I was recently a victim of Layer 7 DDoS attacks, and use Cloudflare. Cloudflare was able to migrate them off, but I'm in the mix of changing from Cloudflare to my own system for most of my websites and my wifes (blogged about it here: https://thegeekbin.com/ddos-protection-my-experience/).What's a reliable way to mitigate most layer 7 attacks? I've added into nginx filters for slow connections (eg, HEAD and wait X time to clog server resource, slowloris) and other things like bad user agents, R-U-DEAD-YET, etc. but I'm not sure that's going to be enough.What's your take on this HN? Any pointers to provide good enough protection against most common attacks?Thanks

hamid_ra · Accepted Answer

What is your website?! is it just a content website or you have some sort of services serving your requests in backend. Application DDos attacked can hugely impact your website if they can put load on your backend and eventually trash your servers. Some useful solutions for those scenarios: -proper authentication/authorization mechanism -keep stats per user or session and set quota on the number of requests per user or session -add captcha to your registration pages to prevent them from scripting your signup.

zzzcpan · Answer

I'm assuming you also want a simple way to mitigate layer 7 attacks, which is the hard part. You can try something like gathering statistics of /24 IP subnets that make connections to your server and once you detect increase in unseen subnets that goes over some threshold you think your server can't handle - nullroute unseen subnets that go over that threshold for some short period of time. And on a web server side configure rate limiting for everything.

gtirloni · Answer

Cloudflare is a good way to mitigate those attacks. They have a pipe much bigger than what most attackers can get together.You don't stand a chance against a DDoS and you have to work with your upstream ISP to mitigate some of it. They might not have the tools to help you though.