H2O

the optimized HTTP/1.x, HTTP/2, HTTP/3 server

Configure > Using DoS Detection

Starting from version 2.1, H2O comes with a mruby script named dos_detector.rb that implements DoS Detection feature. The script provides a Rack handler that detects HTTP flooding attacks based on the client's IP address.

Basic Usage

Below example uses the mruby script to detect DoS attacks. The default detecting strategy is simply counting requests within configured period. If the count exceeds configured threshold, the handler returns a 403 Forbidden response. Otherwise, the handler returns a 399 response, and the request is delegated internally to the next handler.

paths:
  "/":
    mruby.handler: |
      require "dos_detector.rb"
      DoSDetector.new({
        :strategy => DoSDetector::CountingStrategy.new({
          :period     => 10,  # default
          :threshold  => 100, # default
          :ban_period => 300, # default
        }),
      })
    file.dir: /path/to/doc_root

In the example above, the handler countup the requests within 10 seconds for each IP address, and when the count exceeds 100, it returns a 403 Forbidden response for the request and marks the client as "Banned" for 300 seconds. While marked as "Banned", the handler returns a 403 Forbidden to all requests from the same IP address.

Configuring Details

You can pass the following parameters to DoSDetector.new .

• :strategy

  The algorithm to detect DoS attacks. You can write and pass your own strategies if needed. The default strategy is DoSDetector.CountingStrategy which takes the following parameters:

  • :period

    Time window in seconds to count requests. The default value is 10.

  • :threshold

    Threshold count of request. The default value is 100.

  • :ban_period

    Duration in seconds in which "Banned" client continues to be restricted. The default value is 300.

• :callback

  The callback which is called by the handler with detecting result. You can define your own callback to return arbitrary response, set response headers, etc. The default callback returns 403 Forbidden if DoS detected, otherwise delegate the request to the next handler.

• :forwarded

  If set true, the handler uses X-HTTP-Forwarded-For header to get client's IP address if the header exists. The default value is true.

• :cache_size

  The capacity of the LRU cache which preserves client's IP address and associated request count. The default value is 128.

paths:
  "/":
    mruby.handler: |
      require "dos_detector.rb"
      DoSDetector.new({
        :strategy => DoSDetector::CountingStrategy.new,
        :forwarded => false,
        :cache_size => 2048,
        :callback => proc {|env, detected, ip|
          if detected && ! ip.start_with?("192.168.")
            [503, {}, ["Service Unavailable"]]
          else
            [399, {}, []]
          end
        }
      })
    file.dir: /path/to/doc_root

Points to Notice

• For now, counting requests is "per-thread" and not shared between multiple threads.

Copyright © 2015-2023 DeNA Co., Ltd. et al.