How to prevent DDoS attacks
Hello, this morning we had an incident on one of our servers, a large DDoS attack. Their common point was that the user-agents corresponded to old UAs like Macintosh, Windows 95, etc. Also, there were suspicious dates like this one:
Mozilla/5.0 (X11; Linux x86_64; rv:1.9.7.20) Gecko/6496-09-22 17:26:38.382965 Firefox/3.6.7. I quickly created a scenario to block all old UAs; the scenario worked and there were alerts/decisions everywhere, it was impressive. But the problem is that I felt CrowdSec was overwhelmed. I tried to block an entire country, but that didn’t work either. I really felt that CrowdSec was overwhelmed and was not working properly. We will take measures regarding this and our vhosts, but on the CrowdSec side, what could I do to prevent this from happening again?2 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Hello,
I had the same issue what worked for me arebelow
1. Switch Remediation Mode from MODE=live to MODE=stream in bouncer configuration.
2. Removed bad-user-agent scenario since it uses regex and consumes a lot of cpu (Handle Country blocking & Bad UA with nginx or webserver you use)
3. Enable re2_grok_support & re2_regexp_in_file_support feature flag for Regex Performance
4. Try experimenting with parser_routines & bucket_routines