CloudFlare as a DOS mitigation / Traffic Scrubbing solution. AKA “The Internet is still The Wild West”

So here we are, almost two years later with another blog post.  I didn’t intend for it to take two years but what can you do.  I’ve noticed I get quite a bit of traffic to my now ancient Varnish post.  While it does contain some good (although basic) information about Varnish, a lot of things have changed (and remained the same) on the Internet in the time since I wrote about it.  DDOS attacks  are becomining more common and more powerful than ever before  as well as probes and hack attempts from Zombies, script kiddies, botnets and so on.  In my role as a sysadmin I see these things on a daily, even hourly basis;  Probes for open web proxies, open mail servers, bots using search engines to find and exploit old unpatched installs of scripts like Joomla and WordPress, brute force attacks against all types of services (FTP, MTAs, MDAs, etc).  If you have a website somewhere I am willing to bet it’s faced at least one of these scenarios on more than one occasion.  If you have a website somewhere and you run a publicly available script and you don’t keep it up to date, I am also willing to bet it’s even been compromised at some point.

For the most part a lot of these “attacks” are more of an annoyance than anything.  I don’t think I’ve ever witnessed a brute force attack actually succeed, but I have seen countless scripts get compromised because they weren’t kept up to date.  Really the only solution there is to either keep your scripts up to date, or if you don’t have the time or capacity to do so, disconnect the server from the internet.  I’m not even joking. 🙂

When I wrote about Varnish, it was my tool of choice for dealing with sites having issues with their traffic volume, be it a DOS or a legitimate increase in traffic. It’s still in the toolbox, but I’ve found in many  situations that using CloudFlare is a better choice.  Varnish is a server side solution, meaning it has to be installed and configured on a server before it can used.  If you are running it along side a standard web service you also need to reconfigure the ports the services listen on.  This isn’t always practical because not everybody has a dedicated server or a VPS, so it may not even be an option at all.

CloudFlare is a third party service that is DNS based, meaning the use of their service is controlled through your domain’s DNS.  This can be acomplished through CloudFlare directly (by signing up with them) or through one of their hosting partners.  I’ve been working on integrating their hosting partner API at AmeriNOC so that we can provide seamless CloudFlare integration to our clients  which is why it’s my topic today. 🙂

So what exactly does CloudFlare do?  It’s essentially a caching proxy service that includes security features designed to stop malicious traffic from ever reaching your server.  It can also do some performance tuning on your site by running optimizations on your code and it  serves up your site via their CDN, which in theory will serve your site to your visitors whichever datacenter is closest to them.   They offer a number of other features as well, I’m not here to sell you a  CloudFlare account though so I will leave it to you to browse their site if you want to see what other options they have available.  🙂  For my intents and purposes their free account is sufficient.

Setting up CloudFlare is an almost ridiculously simple procedure.  If you want to sign up on your own, it’s a matter of registering on their site and pointing your nameservice to them.  Their control panel guides you through every step so it’s a very trivial procedure.  Alternatively, if you are with a host who happens to be  a CloudFlare partner, it’s just a matter of enabling CloudFlare with them.  It’s all still done through DNS, but the DNS is kept host side and not transferred over to CloudFlare.  Either option in my estimation is within the grasp of most average webmasters.

So what happens now that your site is in CloudFlare?  Well that depends on what was happening to your site before.  I will use a real life example to illustrate.   We have a client who has been taking collateral damage from a Pushdo variant for several months now.  Pushdo is a malicious botnet and one of it’s “neat little features” is that when the bots contact the command + control server, they spew a ton of crap traffic to innocent sites like our client in an attempt to disguise the actual destination.  So as a result of this the client’s site recieves an insane ammount of traffic from these bots to multiple services (HTTP and SMTP) on their server.  We’re talking hundreds of thousands of bots, for a time I was using ipfw tables to block them and the table was over three hundred thousand IPs after a few days of this.    This solution was obviously not going to work because every day there are more of these bots, the firewall was just getting bigger and bigger.  Enter CloudFlare.

I set the domain up in CloudFlare and removed the firewall table and noticed a dramatic drop in the ammount of bot traffic getting in.  Some of it was still getting through, but CloudFlare tracks IPs and scores them so with some tunining we were able to pretty much eleminiate the server side impact of this botnet.  This was done with a basic (Free) CloudFlare account, the site is still online, still running through CloudFlare, still being hammered by the botnet and CloudFlare is taking it all like a champ.  And that’s more or less what got me into the CloudFlare fan club.   It’s a time and resource saver, and it’s easy enough that most webmasters would be able to get it set up on their own, or at least with minimal intervention from the host.

There are of course some downsides to using their service.  Your weblogs become slightly less useful as CloudFlare won’t send hits to your site if something is in it’s cache and you won’t have access to your traffic statistics in real time unless you go for their paid service or have some type of alternative  tracker/analytics on your site.   But if your site is getting it’s ass kicked by something or someone, I think those tradeoffs are pretty fair if you don’t have an extra twenty bucks kicking around for their premium account. 🙂

Thanks for taking the time to check out my site again.  I might make another post before 2015, so please check back again soon. 😉