envoyproxy/envoy

Tarpit: HTTP DDOS mitigation through envoy

Open

#8.292 aberto em 19 de set. de 2019

Ver no GitHub
 (13 comments) (7 reactions) (1 assignee)C++ (5.373 forks)batch import
area/securitydesign proposalhelp wanted

Métricas do repositório

Stars
 (27.997 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (378 fundiu PRs em 30d)

Description

Description:

This is a mitigation approach where the socket/connection is not closed during attack, instead is kept open draining attacker resources. This technique does not forward requests upstream and essentially ignores all the requests from the attacker, shielding the clusters behind envoy. This implementation leverages the TCP zero-window state and exponential back-offs during TCP re transmissions.

I have tested the implementation on envoy with about 200,000 concurrent connections and 20k-40k requests per second and analyzed the CPU utilization, memory usage and network bandwidth utilization on both attacker and server side.

This implementation on envoy utilized tuning the socket receive buffers and receive buffer low watermarks. It is different than the one implemented in the kernel, hooking into the TCP stack.

I have shared some RFCs on how TCP reacts to zero-window state.Please let me know your thoughts if this is something interesting to upstream?

Thanks! Rama

[optional Relevant Links:]

Original implementation for iptables add-on : https://sourceforge.net/p/xtables-addons/xtables-addons/ci/master/tree/extensions/xt_TARPIT.c https://tools.ietf.org/html/rfc6429 https://tools.ietf.org/html/rfc1122#section-4.2.2.17

Guia do colaborador