[Django]-Load spike protection for Django Channels

I am only answering the first question. So basically it is impossible to be 100% protected from ddos attacks, because it always comes down to a battle of resources. If the server-side resources are greater than the attacker-side resources, the server will not go down (there may be slowed performance though) but if not, the server goes down [no reference required]. Why is it not possible to be 100% protected, you may ask. So basically your server “crashes” if people cannot connect to it [https://en.wikipedia.org/wiki/Crash_(computing)#Web_server_crashes — Web server crashes sentence 1.]. So if you try to protect your server by shutting it down for 5 mins every time 10000 connections are made in a second, the ddos succeeded. It “crashed” your server. The only ddos protection that I know of that should work is Cloudfare (https://www.cloudflare.com/lp/ddos-b/?_bt=207028074666&_bk=%2Bddos%20%2Bprotection&_bm=b&_bn=g&gclid=EAIaIQobChMIu5qv4e-Z1QIVlyW9Ch2YGQdiEAAYASAAEgJbQ_D_BwE). It absorbs the impact of the ddos attack with its 10Tbps network backbone. But even it does not offer 100% ddos protection because once its 10Tbps is down, your server will go down too. So, I hope that helped.

DDoS = Distributed Denial of Service

The ‘Distributed’ part is the key: you can’t know you’re being attacked by ‘someone’ in particular, because requests come from all over the place.

Your server will only accept a certain number of connections. If the attacker manages to create so many connections that nobody else can connect, you’re being DDoS’ed.

So, in essence you need to be able to detect that a connection is not legit, or you need to be able to scale up fast to compensate for the limit in number of connections.

Good luck with that!

DDoS protection should really be a service from your cloud provider, at the load balancer level.

Companies like OVH use sophisticated machine learning techniques to detect illegitimate traffic and ban the IPs acting out in quasi-real time.
For you to build such a detection machinery is a huge investment that is probably not worth your time (unless your web site is so critical and will lose millions of $$$ if it’s down for a bit)

Theres a lot of things you cant to do about DDOS..however there are some neat ‘tricks’ depending on how much resources you have at your disposal, and how much somebody wants to take you offline.

Are you offering a total public service that requires direct connection to the resource you are trying to protect?

If so, you just going to need to ‘soak up’ DDOS with the resources you have, by scaling up and out… or even elastic… either way it’s going to cost you money!

or make it harder for the attacker to consume your resources. There are number of methods to do this.

If you service requires some kind of authentication, then separate your authentication services from the resource you are trying to protect.

Many applications, the authentication and ‘service’ run on the same hardware. thats a DOS waiting to happen.

Only let fully authenticated users access the resources you are trying to protect with dynamic firewall filtering rules. If your authenticated then gate to the resources opens (with a restricted QOS in place) ! If your a well known, long term trusted users, then access the resource at full bore.

Have a way of auditing users resource behaviour (network,memory,cpu) , if you see particular accounts using bizarre amounts, ban them, or impose a limit, finally leading to a firewall drop policy of their traffic.

Work with an ISP that can has systems in place that can drop traffic to your specification at the ISP border…. OVH are your best bet. an ISP that exposes filter and traffic dropping as an API, i wish they existed… basically moving you firewall filtering rules to the AS border… niiiiice! (fantasy)

It won’t stop DDOS, but will give you a few tools to keep resources wasted a consumption by attackers to a manageable level. DDOS have to turn to your authentication servers… (possible), or compromise many user accounts…. at already authenticated users will still have access 🙂

If your DDOS are consuming all your ISP bandwidth, thats a harder problem, move to a larger ISP! or move ISP’s… :-). Hide you main resource, allow it to be move dynamically, keep on the move! :-).

Break the problem into pieces… apply DDOS controls on the smaller pieces. 🙂

I’ve tried a most general answer, but there are a lot a of depends, each DDOS mitigation requires a bit of Skin, not tin approach.. Really you need a anti-ddos ninja on your team. 😉

Take a look at distributed protocols…. DP’s maybe the answer for DDOS.

Have fun.

Let’s apply some analysis to your question. A DDoS is like a DoS but with friends. If you want to avoid DDoS explotation you need minimize DoS possibilities. Thanks capitan obvious.

First thing is to do is make a list with what happens in your system and wich resources are affected:

• A tcp handshake is performed (SYN_COOKIES are affected)
• A ssl handshake comes later (entropy, cpu)
• A connection is made to channel layer…

Then monitorize each resource and try to implement a counter-measure:

• Protect to SYN_FLOOD configuring your kernel params and firewall
• Use entropy generators
• Configure your firewall to limit open/closed connection in short time (easy way to minimize ssl handshakes)
• …

Separate your big problem (DDoS) in many simple and easy to correct tasks. Hard part is get a detailed list of steps and resources.

Excuse my poor english.