DDOS protection

[ambertch]

Rate limiting of external requests or some other form of DOS/DDOS protection for IPFS gateways and full nodes

[ambertch]

https://blog.cloudflare.com/meet-gatebot-a-bot-that-allows-us-to-sleep/

Techniques Cloudflare uses:

• "scattering": moving a domain name between IP addresses (attacker has to update IP)
• dropping packets using IPTables (linux firewall): max number of connections, max number of packets can configured. they report the linux kernel can handle up to 1M packets/sec, and with kernel bypass packets can be handled at the NIC itself.
• layer 7: disabling HTTP Keep-alives forces an attacker to re-establish the TCP connection per packet send, which rate limits them. Rate limits can also be put in place that will present a javascript captcha.

According to Amazon, AWS has a product called Shield, of which the standard version is automatically enabled for customers using DNS, load balancing, or CDN services (Route53, ELB, Cloudfront) https://aws.amazon.com/shield/tiers/ - the protection the free tier provides looks to be similar to what Cloudflare describes as the on-machine measures (with an advanced tier providing routing and DNS level protection)

[franckc]

Couple thoughts:

• Looks like Heroku provides some basic protection by default: https://www.heroku.com/policy/security#ddos
• In addition to our IPFS gateway, we should also make sure the bridge-server is protected. One of the measure we could use for that is implementing rate limiting by API route. Perhaps this library could be an option we consider: http://flask-limiter.readthedocs.io/en/stable/