https://blog.xpdbk.com/en/tags/website-protection/Recent content in Website Protection on LEl_FENG BlogHugo -- gohugo.ioenLEl_FENG CopyrightTue, 29 Aug 2023 13:58:11 +0700https://blog.xpdbk.com/en/posts/ddos-blog-1/Tue, 29 Aug 2023 13:58:11 +0700https://blog.xpdbk.com/en/posts/ddos-blog-1/<blockquote> <p><strong>TL;DR / Geek Summary:</strong></p> <ul> <li>Threat Intel: Sustained 4-day malicious DDoS/CC assault consuming 75GB+ bandwidth in hours.</li> <li>Attack Vector: Mirror link injection via shortcode service and volumetric HTTP floods.</li> <li>Mitigation: Deployed Cloudflare CDN (Orange Cloud) and WAF firewall rules to neutralize traffic.</li> </ul> </blockquote> <h2 id="introduction"> <a href="#introduction" class="heading-anchor" aria-label="Anchor for Introduction">#</a> Introduction </h2> <p>Because I originally built my blog using <code>wordpress</code>, I am very familiar with DDoS and CC attacks and have always paid close attention to them. Later on, I successively tried dynamic frameworks like <code>typecho</code> and <code>Halo</code>, then moved from <code>jekyll</code> to <code>Hexo</code>, before finally settling on <code>Hugo</code>, a static blog framework. After that, I stopped worrying about server and DDoS protection issues and remained in a completely worry-free state. That is, until a certain <code>person</code> recently launched a malicious 4-day attack on my website, which forced me to take DDoS and CC protection seriously again.</p> <h2 id="how-it-started"> <a href="#how-it-started" class="heading-anchor" aria-label="Anchor for How It Started">#</a> How It Started </h2> <p>Around 11 PM, while I was scrolling through my phone, an email arrived telling me my website had already used <code>75GB</code> of bandwidth. I thought to myself: what on earth used up so much bandwidth?</p> <p><img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/2.webp" width="697" height="427" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/2_hu61035c777cd25ad0569fb020cc1e0b45_18466_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/2_hu61035c777cd25ad0569fb020cc1e0b45_18466_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Email Alert" class="gallery-image" data-flex-grow="163" data-flex-basis="391px" > <img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/3.webp" width="912" height="491" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/3_hu7af1aaf68db1dc93fc049848a022485f_14362_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/3_hu7af1aaf68db1dc93fc049848a022485f_14362_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Bandwidth Exceeded 1" class="gallery-image" data-flex-grow="185" data-flex-basis="445px" ></p> <p>Then I clicked in to take a look, and it literally gave me a jump scare.</p> <p><img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/3123.webp" width="923" height="493" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/3123_hu0123f6b66a6ab32b027fa7fb52d57284_28416_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/3123_hu0123f6b66a6ab32b027fa7fb52d57284_28416_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Bandwidth Exceeded 2" class="gallery-image" data-flex-grow="187" data-flex-basis="449px" ></p> <p>If I ignored this, my site would definitely be forced to shut down. And once it&rsquo;s shut down, I would lose all my search engine indexing.</p> <h2 id="interlude"> <a href="#interlude" class="heading-anchor" aria-label="Anchor for Interlude">#</a> Interlude </h2> <p>This attacker also stuffed a ton of gray-market (illicit) links into my URL shortening service. However, thanks to my HTML modifications to hide the input form, visiting <code>https://l.xpdbk.com</code> doesn&rsquo;t allow anyone to add links; only I can add them from the backend. I originally intended to make the service available for public use, but because people like this exist, I had no choice but to make it private.</p> <p><img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/42434234.webp" width="1017" height="563" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/42434234_hud03e8a81990fb7f7046ae308445b0da1_23936_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/42434234_hud03e8a81990fb7f7046ae308445b0da1_23936_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Short Link Bandwidth Exceeded" class="gallery-image" data-flex-grow="180" data-flex-basis="433px" > <img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/4234234.webp" width="1001" height="380" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/4234234_hu6063fff67e2df29716fcd8bcb1ea4618_7504_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/4234234_hu6063fff67e2df29716fcd8bcb1ea4618_7504_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Short Link Repository" class="gallery-image" data-flex-grow="263" data-flex-basis="632px" > <img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/25t24t.webp" width="563" height="470" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/25t24t_hue9bc7f51fd3d7e9ef89e1c8ccfd6cfda_24712_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/25t24t_hue9bc7f51fd3d7e9ef89e1c8ccfd6cfda_24712_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Short Link Edit Interface" class="gallery-image" data-flex-grow="119" data-flex-basis="287px" ></p> <h2 id="taking-action"> <a href="#taking-action" class="heading-anchor" aria-label="Anchor for Taking Action">#</a> Taking Action </h2> <p>I quickly rushed to enable <code>CF CDN</code>. I hadn&rsquo;t turned on the little orange cloud for Cloudflare CDN before because I wanted to accommodate loading speeds for users in China. Blocked by the WAF firewall, all of the attacker&rsquo;s traffic was successfully mitigated.</p> <p><img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/53535.webp" width="995" height="334" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/53535_hueedac4e5686c85387a92fd68a787b89e_19228_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/53535_hueedac4e5686c85387a92fd68a787b89e_19228_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="WAF Firewall" class="gallery-image" data-flex-grow="297" data-flex-basis="714px" > <img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/5353a5.webp" width="1000" height="220" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/5353a5_hu6e4094afa2e8a5b0820c993b1cd0bbc8_9372_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/5353a5_hu6e4094afa2e8a5b0820c993b1cd0bbc8_9372_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="WAF Firewall 2" class="gallery-image" data-flex-grow="454" data-flex-basis="1090px" ></p> <h2 id="conclusion"> <a href="#conclusion" class="heading-anchor" aria-label="Anchor for Conclusion">#</a> Conclusion </h2> <p>All the malicious traffic was completely neutralized.</p> <p><img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/434324234.webp" width="1020" height="587" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/434324234_hu84ca457604e8b561332131fc2dee4026_38880_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/434324234_hu84ca457604e8b561332131fc2dee4026_38880_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Total Traffic" class="gallery-image" data-flex-grow="173" data-flex-basis="417px" ></p> <p>A word of advice for the attacker: In this world, you can&rsquo;t get something for nothing.</p>