Handle a Level-7 HTTP DDOS attack

  1. Load balancer hit by a huge amount of HTTP requests

  2. Checked on the Nginx access log that most of them are:

    • requesting for a search, .e.g. /product/?search=[random string] , this is a clever trick as search are always bypassing cache and are heavier than listing / viewing product details

    • source IP are all different, confirming its a D-DOS instead of a singleIP-DOS attack, hence IP blocking trick will not work here

  3. The lowest cost possible way to handle such attack is with Cloudflare, fortunately we had Cloudflare setup, they even sent us a DDOS attack alert email:

    1. The rest is simple, since all traffic are looking for search, and most of our users are from Singapore, just need to add a WAF rule will Managed Challenge:

      • Requests that's not from Singapore

      • Requests that contain /product/?search= in URL

    2. And Load Balancer sees no more DDOS traffic:

Of course we can make use of AWS WAF to create a similar rules in WEB ACL to do the filtering with a low cost:

But since Cloudflare are generously offering the service for $0 and is simple to deploy, no cost is better than low cost in this case. :)