envoyproxy/envoy

Tarpit: HTTP DDOS mitigation through envoy

Open

#8292 aperta il 19 set 2019

Vedi su GitHub
 (13 commenti) (7 reazioni) (1 assegnatario)C++ (5373 fork)batch import
area/securitydesign proposalhelp wanted

Metriche repository

Star
 (27.997 star)
Metriche merge PR
 (Merge medio 8g) (378 PR mergiate in 30 g)

Descrizione

Description:

This is a mitigation approach where the socket/connection is not closed during attack, instead is kept open draining attacker resources. This technique does not forward requests upstream and essentially ignores all the requests from the attacker, shielding the clusters behind envoy. This implementation leverages the TCP zero-window state and exponential back-offs during TCP re transmissions.

I have tested the implementation on envoy with about 200,000 concurrent connections and 20k-40k requests per second and analyzed the CPU utilization, memory usage and network bandwidth utilization on both attacker and server side.

This implementation on envoy utilized tuning the socket receive buffers and receive buffer low watermarks. It is different than the one implemented in the kernel, hooking into the TCP stack.

I have shared some RFCs on how TCP reacts to zero-window state.Please let me know your thoughts if this is something interesting to upstream?

Thanks! Rama

[optional Relevant Links:]

Original implementation for iptables add-on : https://sourceforge.net/p/xtables-addons/xtables-addons/ci/master/tree/extensions/xt_TARPIT.c https://tools.ietf.org/html/rfc6429 https://tools.ietf.org/html/rfc1122#section-4.2.2.17

Guida contributor