08/11/2020 (Tue) 12:53:26
As someone who runs a DDoS protection service (30k+ sites) I can tell you now that rate limiting is your best friend.>1.
Always use the latest stable version of Nginx. Learn about rate limiting in Nginx and connection limiting. This alone will stop the majority of L7 floods. You may want to have a look at OpenResty and learn a bit of LUA, it's a very powerful and very fast (when using LUAjit) way to customise Nginx to your needs.>2.
Use hCaptcha and not Google Captcha. Not only is it actually privacy respecting (or so they claim), but almost all of the paid captcha solving services don't work with hCaptcha.
And don't think for a second that switching to Tor will block the L7 floods, because it won't. If anything. If anything, it makes it a lot easier to bring down your site because not only are you more vulnerable to L7 attacks, you are now once again vulnerable to L3/4 attacks.
Other helpful stuff:
Just block ICMP all together, it's not needed and eats up your CPU.
Look at Javapipe and their iptables blog post ti help you with blocking TCP attacks which can bypass regular L4 protection (also helps with L7 floods).
Don't waste your time trying to block L7 floods with Tor. They can still bring down your circuits.
The more threads/cores your server has, the easier it is to deal with L7 floods.
Remember that enough bandwidth will still bring your site down. If you have a 1Gbit port and someone is generating 1Gbps of L7 traffic, you will go down. If there's enough unique IP's and slow enough packets per second, you will go down.
You can have the best DDoS protection in the world but enough traffic will still bring you down.