Built-in DDoS defence?

[hrstoyanov]

One of the reason to continue using CloudFlare tunnel , is the ability to to shut down distributed-denial-of-service-attack (DDoS), which kamal proxy currently does not help with.

I wonder if it is possible to implement some "good-enough" form of DDoS prevention, as part of this proxy?

The idea is this:

• kamal proxy keeps account of how many request came per remote IP address
• if this account exceeds certain threshold, any further connections from this particular client are denied, for a configured amount of time, after which the client is removed from "the black list" and is allowed again
• there is some background thread that runs periodically and zeros the count per client (IP address).

I can supply some Java code that implements the logic in more detail, if needed.

Once abuse-in-progress is detected, KP can start dening any furtehr incoming connections at the http handler level. And while this is a good start, I think it can be done in a better way (because by the time the request hits the proxy http handler, a lot of damage/waste has already been done - tls negotiation, http protocol translation, etc.).

Therefore, here is a better approach - once DDoS attack is detected (with the above logic) the proxy can raise the shields at the Linux host firewall level, executing these linux commands, for example:

For UFW (uncomplicated fire wall):

      # deny
      sudo ufw deny from  XXXXX

      # allow back 
      sudo ufw allow from XXXX

For IPTABLE:

      # deny
      sudo iptables -A INPUT -s   -j DROP XXXXXX

      # allow back
      sudo iptables -A INPUT -s   -j ACCEPT XXXXXX

If the Kamal proxy runs inside a docker container, rather than using docker sockets API, the proxy can simply do SSH from inside the container to the host and execute the firewall commands there.

I have some Java code that implements the above logic, but only at the http handler level (for now)