A Anti-DDoS script to protect Nginx web servers using Lua with a Javascript based authentication puzzle inspired by Cloudflare I am under attack mode I built my own Anti-DDoS authentication HTML page puzzle intergrating my Lua, Javascript, HTML and HTTP knowledge.
Mitigate a DDoS attack of any size using my free DDoS protection. Don't get ddos attacked!
If you're under attack and use my script during the attack, visitors will receive an interstitial page for about five seconds while I analyze the traffic to make sure it is a legitimate human visitor.
This can protect you from many different forms of DDoS works with both HTTP and HTTPS / SSL traffic.
No limit on attack size
Uptime guarantee
100% asynchronous nonblocking I/O
Features :
These are some of the features I built into the script so far.
Security
Limit IP requests / Flooding
Ability to use Remote servers for Anti-DDoS data/key storage
Ability to use redis cache server for anti-ddos protection
Ability to use memcached server for anti-ddos protection
Automatically turn on Under Attack mode if DDoS detected
I am Under Attack Mode (DDoS Authentication HTML Page)
IP Address Whitelist
IP Subnet Ranges Whitelist
IP Address Blacklist
IP Subnet Ranges Blacklist
User-Agent Whitelist
User-Agent Blacklist
Protected area / Restricted access field username / password box to restrict access to sites / paths.
Enable or disable logging of users who either fail or succeed solving the authentication puzzle. (Fail2Ban users can use this to ban bots AI tools and IP addresses from the log file)
Range header filtering Most download / Video streaming sites and services use range headers this allows you to filter and block slowhttp / slowloris attack types
WAF (Web Application Firewall)
IPv4 and IPv6 blocking and whitelisting including subnet ranges.
User-Agent blocking and whitelisting to block bad bots and exploits / scanners.
Ability to inspect POST Data / Fields and block malicious POST requests / exploits.
Ability to inspect URL for malicious content SQL/SQI Injections XSS attacks / exploits.
Ability to inspect query strings and arguements for malicious content / exploits.
Ability to inspect all Request Headers provided by the client connecting.
Ability to inspect cookies for exploits.
Caching Speed and Performance
Webpage Caching Ability/Feature to Cache webpages and Bypass Cache based on cookies or URL's
Webpage Caching Ability/Feature to Cache only when Cookies or URL's exist
Webpage Caching Ability/Feature to Cache only if page size is Larger than or Smaller than a certain size
Query String Sorting
Query String Whitelist
Query String Removal (It is a blacklist but it will just drop / remove the argument from the URL not block the request)
Minification / Compression of files removing white space and nulled out code / lines JS JavaScript, CSS Stylesheets, HTML etc
Ability to use Redis as a cache storage soloution
Ability to use Memcached as a cache storage soloution
Ability to use lrucache as a cache storage soloution
Ability to use shared.DICT memory as a cache storage soloution
Support for Additional services
Supports Tor services .Tor
Supports Lokinet services .Loki
Supports Ethereum name services .ENS
Supports The invisible internet project .i2p
Supports Freenet
Supports IPFS inter planetary file system
Supports IPNS inter planetary name system
Supports SWARM network
Supports Radicale
Supports any port matches node or hidden service that nginx is protecting
Supports zeronet
Customization of error pages responses and webpage outputs
Custom error page interception to replace with your own error pages
Hide Web application errors such as PHP errorrs MySQL errors it will intercept them and display a custom error page instead of showing visitors sensative information
Modify webpage outputs to replace contents on pages / files
Information :
If you have any bugs issues or problems just post a Issue request.
Add this to your HTTP block or it can be in a server or location block depending where you want this script to run for individual locations the entire server or every single website on the server.
lua_shared_dict antiddos 70m; #Anti-DDoS shared memory zone to track requests per each unique user
access_by_lua_file anti_ddos_challenge.lua;
Example nginx.conf :
This will run for all websites on the nginx server
http {
#shared memory addresses in http block
lua_shared_dict antiddos 70m; #Anti-DDoS shared memory zone to track requests per each unique user
#nginx config settings etc
access_by_lua_file anti_ddos_challenge.lua;
#more config settings and some server stuff
}
This will make it run for this website only
http {
#shared memory addresses in http block
lua_shared_dict antiddos 70m; #Anti-DDoS shared memory zone to track requests per each unique user
}
server {
#nginx config settings etc
access_by_lua_file anti_ddos_challenge.lua;
#more config settings and some server stuff
}
This will run in this location block only
http {
#shared memory addresses in http block
lua_shared_dict antiddos 70m; #Anti-DDoS shared memory zone to track requests per each unique user
}
location / {
#nginx config settings etc
access_by_lua_file anti_ddos_challenge.lua;
#more config settings and some server stuff
}
I was inspired to create this because of Cloudflare feature "I'm Under Attack Mode" https://www.cloudflare.com/
There are similar sites and services like BitMitigate but I prefer my own script over their methods.
If you're under attack and have this feature enabled during the attack, visitors will receive an interstitial page for about five seconds while we analyze the traffic to make sure it is a legitimate human visitor.
Advanced DDoS Attack Protection
Unmetered DDoS mitigation to maintain performance and availability
Denial of Service attacks continue to grow in sophistication and force: more distributed, greater volumes of traffic, and encroaching on the application layer.
A successful attack increases unnecessary costs on your infrastructure and IT/security staff. More importantly, it hurts your revenue, customer satisfaction, and brand.
To combat attacks and stay online, you’ll need a solution that’s resilient scalable, and intelligent.
Mitigate a DDoS attack of any size or duration, Don't get ddos attacked!
I love that feature so much ontop of having it enabled on all my Cloudflare proxied sites I decided to make it into a feature on my own servers so the traffic that hits my servers without coming from Cloudflares network is kept in check and authenticated! (Every little helps right!)
Thank you to @Cloudflare for the inspiration and your community for all the love, A big thanks to the @openresty community you guys rock Lua rocks you are all so awesome!
Lets build a better internet together! Where Speed, Privacy, Security and Compression matter!
All Layer 7 Attacks
Mitigating Historic Attacks
DoS
DoS Implications
DDoS
All Brute Force Attacks
Zero day exploits
Social Engineering
Rainbow Tables
Password Cracking Tools
Password Lists
Dictionary Attacks
Time Delay
Any Hosting Provider
Any CMS or Custom Website
Unlimited Attempt Frequency
Search Attacks
HTTP Basic Authentication
HTTP Digest Authentication
HTML Form Based Authentication
Mask Attacks
Rule-Based Search Attacks
Combinator Attacks
Botnet Attacks
Unauthorized IPs
IP Whitelisting
Bruter
THC Hydra
John the Ripper
Brutus
Ophcrack
unauthorized logins
Injection
Broken Authentication and Session Management
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring
And many others…
Features :
Advanced DDoS Attack Protection
My script gives you Unmetered DDoS mitigation to maintain performance and availability for free
Denial of Service attacks continue to grow in sophistication and force: more distributed, greater volumes of traffic, and encroaching on the application layer.
A successful attack increases unnecessary costs on your infrastructure and IT/security staff. More importantly, it hurts your revenue, customer satisfaction, and brand.
To combat attacks and stay online, you’ll need a solution that’s resilient scalable, and intelligent.
Common Types of DDoS Attacks
Block Malicious Bot Abuse
Block abusive bots from damaging Internet properties through content scraping, fraudulent checkout, and account takeover.
Prevent Customer Data Breach
Prevent attackers from compromising sensitive customer data, such as user credentials, credit card information, and other personally identifiable information.
Layered Security Defense
layered security approach combines multiple DDoS mitigation capabilities into one service. It prevents disruptions caused by bad traffic, while allowing good traffic through, keeping websites, applications and APIs highly available and performant.
HTTP Flood (Layer 7)
HTTP flood attacks generate high volumes of HTTP, GET, or POST requests from multiple sources, targeting the application layer, causing service degradation or unavailability.
A Anti-DDoS script to protect Nginx web servers using Lua with a Javascript based authentication puzzle inspired by Cloudflare I am under attack mode I built my own Anti-DDoS authentication HTML page puzzle intergrating my Lua, Javascript, HTML and HTTP knowledge.
This is my custom configuration from C0nw0nk's Nginx Anti DDoS Script (https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS). It gives a PoW (Proof of Work) JS authentication puzzle to the browser, which the client has to solve. Once a user successfully solves the challenge, they are given an authentication cookie to access the website.