High performance application-layer DDoS protection for Elixir Phoenix.
- Features
- Setup
- Monitoring
- Local tooling
- Benchmark
- Community
- FAQ
- Next in roadmap
- Later in roadmap
- Contributing
Note You are currently on unreleased branch. Latest stable release documentation is here
- protection: ip safelist_ips - List of ip that bypass all checks
- protection: ip blocklist_ips - List of ip that are always rejected
- protection:
PhoenixDDoS.IpRateLimit- rate limit per ip - protection:
PhoenixDDoS.IpRateLimitPerRequestPath- rate limit per ip per path - protection: log flooding - in case of an attack, prevent application log to explode
- engine: jail system - auto-blocklist ips that triggered a protection for a limited amount of time
- monitoring: telemetry - provide events to your application from phoenix_ddos decisions
- monitoring: sentry - if you use sentry, you can be notified when an ip has been put in jail
- local tools: ddos youself - because it is fun !
phoenix_ddos is a high performance application-layer DDoS protection for Elixir Phoenix.
- Add
:phoenix_ddosto your list of dependencies inmix.exs:
def deps do
[
{:phoenix_ddos, "~> 1.1"},
# Highly recommended, this will makes sure we get the correct remote_ip
{:remote_ip, "~> 1.1"}
]
end- Add the
PhoenixDDoSplug to your app's Endpoint, after the excellent RemoteIp plug (optional but highly recommended !).
defmodule MyApp.Endpoint do
use Phoenix.Endpoint, otp_app: :my_app
# put as high in the order as possible
plug RemoteIp, headers: ["x-forwarded-for"]
plug PhoenixDDoS
# ...
endconfig :phoenix_ddos,
safelist_ips: ["1.2.3.4", "5.6.7.0"],
blocklist_ips: ["11.12.13.0"],
protections: [
# ip rate limit
{PhoenixDDoS.IpRateLimit, allowed: 500, period: {2, :minutes}},
{PhoenixDDoS.IpRateLimit, allowed: 10_000, period: {1, :hour}},
# ip rate limit on specific request_path
{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: ["/graphql"], allowed: 20, period: {1, :minute}},
{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: [{:post, "/login"}], allowed: 5, period: {30, :seconds}}
]| Type | Option | Default | Description |
|---|---|---|---|
| bool | enabled |
true | set false to disable |
| int | jail_time |
{15, minutes} | time an ip is fully blocked if caught by a protection. set nil to disable thus blocking instead |
| bool | raise_on_reject |
false | raise when we reject a connexion instead of returning an http code error |
| int | http_code_on_reject |
429 | http code returned when we reject a connexion |
| list | protections |
[] | @see Protections examples |
| list | safelist_ips |
[] | bypass all protections ips |
| list | blocklist_ips |
[] | always blocked ips |
| bool | on_jail_alert_to_sentry |
false | notify slack when an ip get jailed |
The configuration is per node you run, rate_limits are not shared (yet), but it gives you the best performance in case of an attack.
- 500 per minute max, if triggered ip will be in jail for 15 minutes
[{PhoenixDDoS.IpRateLimit, allowed: 500, period: {1, :minute}}]- disable jail, ip will be throttle to 500 per minute
[{PhoenixDDoS.IpRateLimit, allowed: 500, period: {1, :minute}, jail_time: nil}]- single route /graphql with a 20 per minute max, if triggered ip will be in jail for 15 minutes
[{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: ["/graphql"], allowed: 20, period: {1, :minute}}]- you can also give a phoenix-like path
[{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: ["/admin/:id/dashboard"], allowed: 20, period: {1, :minute}}]- you can also specify method
[
{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: [{:post, "/login"}, {:post, "/logout"}], allowed: 5, period: {1, :minute}},
{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: [{:get, "/login"}], allowed: 100, period: {5, :minute}}
]- multiple route consuming same quota
[{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: ["/graphql", "/graphiql"], allowed: 20, shared: true, period: {1, :minute}}]- multiple route consuming independent quota
[{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: ["/graphql", "/graphiql"], allowed: 20, period: {1, :minute}}]is equivalent to:
[
{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: ["/graphql"], allowed: 20, period: {1, :minute}},
{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: ["/graphiql"], allowed: 20, period: {1, :minute}}
]Slack: join elixir-lang and join channel #phoenix_ddos
The best ddos protection is like any protection: you have to have multiple layers of protection, each layer having its own advantage or disadvantage. In that matter, to maximize protection you should use one system per layer.
Also we have to keep in mind that a lot of projects don't have the capability (running in a PaaS like heroku for instance) or the will to have all these systems in place. Since phoenix_ddos is a plug-and-play (pun intended) library with minimum configuration, it is a great value for a minimum of effort.
phoenix_ddos is the application layer, running in the application itself. It advantage is that is knows the inside of the application and its limits and can act on the details, where a cloudflare or a ngnix fail2ban would manage most of the load, but the traffic that still access your application may still kill it, this is then the responsability of phoenix_ddos.
Other layers will protect the entire cluster and phoenix_ddos will protect each phoenix application individually.
Since one phoenix application have its own limits, it is best to have a throttle at this layer.
If the cluster scale up or down (switching to 3 pods or 30 pods), other layers will never adapt their throttle values, but phoenix_ddos will scale its protection gracefully.
In home installation, you have 2 layers of protection doing the exact same thing:
- one differential switch protecting the house globally, with a small sensitivity, this will protect the house from burning if a bad short circuit happen
- several differential switches in the electric switchboard, with high sensitivity, this will protect people from being badly injured in case of a shock. We can note that those switches are
application specializedbecause they are chosen according to the load they have to protect, something the other layer can't manage since it has no idea of the house usage in detail.
- [monitoring] observe tooling, to be able to observe what volume is normal traffic and craft a configuration accordingly
- [feat] ip blocklist/safelist with mask/subnet
- [feat] log central genserver to avoid log spam and create possibility provide aggregated report
- [feat] out of jail system: an attacker ip would go out of jail and will make some damage again before being put in jail, prevent that
- [feat] multi-node
- [path] make a phoenix_ddos_pro with powerful features for companies ? The oban model might be a good path to take !
Create issues on github for any bug or issue.
To contribute on the code, please clone and use following tools:
run tests
mix test
run release code validation
mix ci
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent