Fastly_CDN/CDN_설정
패스틀리(Fastly), DDoS방어에 효과적인 설정들 소개
CDN_SKY
2022. 10. 20. 10:55
많은 웹사이트 운영자들이 가장 고민하는 부분중의 하나가 보안일 것이고, 웹 사이트에 대한 위협이 일상적인 것으로 변해버린 요즘 시대에 가장 많은 위협중의 하나가 DDoS공격일 것입니다. DDoS공격은 웹사이트가 처리 할 수 없을 정도의 엄청난 양의 엑세스를 동시 다발적으로 보내서 웹서비스를 마비 시키는 공격입니다. CDN사용자들은 자신의 서비스가 DDoS공격에 당하기 전에 대비하는 법에 대해서 알고 싶어하며, Fastly에서는 기능을 활용하여 방어 할 수 있을지 안내하고자 합니다. 개인적으로 영어 공부중이라서 간단하게 영어로 써 봤습니다.
1. Geolocation blocking with VCL
If you provide your services to specific countries or when you encounter a DDoS attack and if you know the attacker’s IPs and it doesn’t include where your service areas are. We would recommend blocking the Countries’ Geo Location Codes. So, the IPs that are involved in the countries in your list will be blocked.
- Sample code
- GeoIP_block_by_Countries -1
- Countries with no list on the Directories will be blocked.
- Only the Countries there are on the Directories will be Passed.
- GeoIP_block_by_Countries -2
- Only the Countries with the value “block” on the Directories will be blocked.
- If you want to unblock the country, please change the value to unblock
- GeoIP_block_by_Countries -1
2. Using ACL blocking or allowing specific IPs or IP ranges
If you want to block a specific IP address or IP range, you can block it with ACL.
- Sample code
- If the client IP doesn’t be included in the ACL, it will be blocked.
3. Using the edge rate-limiting
- The Fastly rate limiting is designed to help you control the rate of requests sent to your origin servers. The feature allows you to count client requests and optionally penalize clients for exceeding rate limits you set.
- Before you use it, please, read the Limitations and caveats and the Security products note.
- You can implement it by Fastly UI and also make code by VCL.
- Sample code
4. Blocking malicious User-Agent by VCL
- If you want to block malicious UA, you can block it by VCL. Please, refer to the sample code below.
- Sample code:
- Blocking_malicious_User_Agent
- It will block the client who uses the User-Agent that includes the keyword in the VCL. You can use REGEX in the statement to identify specific UA.
- UA hash block with Edge dictionaries
- When you want to deal with a UA that has lengths over 255 by Edge Dictionaries, please, refer to the code above. (Edge Dictionaries’ Key lengths limitation is 255.)
- When you want to deal with a UA that has lengths over 255 by Edge Dictionaries, please, refer to the code above. (Edge Dictionaries’ Key lengths limitation is 255.)
- Blocking_malicious_User_Agent
5. Using “tls.client.ja3_md5”
- Usually, attackers try to change UA or IPs when it was blocked. So, it would be very difficult to mitigate a DDoS attack as the attacker changes it. The variable will take JA3 fingerprint, even if they change UA and IP, JA3 could not be changed. So, if you log it and block it for the malicious client, your site would be mitigated when happening a DDoS attack.
- Sample code: Tls.client.ja3_md5_block
- Only the ja3_md5 with the value “block” on the Directories will be blocked.
- If you want to unblock it, please change the value to unblock.
- Sample code: Tls.client.ja3_md5_block