On 11/08/2018 14:48, Patrick Hemmer wrote:


[snipp]

To answer one of the earlier questions, I do plan on writing a blog
article yes. The question is when. I'm considering backporting this
feature to 1.8 for my own use at work, and if done, might wait for that
so I have some real world usage to comment on.

That sounds very good. Due to the fact that this is a new feature I'm
not sure if it will be back ported. It's not my decision but I think
this would be a nice feature in 1.8 also.

Willy's example use cases were spot on. But to add the use case which
triggered me to write this code: The intent is more for layer 7 DOS
mitigation. It's really hard to correctly identify bots vs real users.
You can usually get it right, but mis-identification is very easy. So
the idea here is that we would add a score to incoming requests based on
things like the user having a cookie, are they a registered user,
request rate, etc. Similar to how email spam filters work. Each one of
these things would increment or decrement the score, and then they would
be queued based on the result. Then when we do have a L7 attack, we only
give compute resources to the attackers when there are no real users in
the queue. Thus the users might see some slowdown, but it should be
minimal. And since we're not actually blocking an attacker, it makes it
much harder for them to figure out the criteria we're using to identify
them and get around it. And also since we're not blocking, users which
end up mis-identified as bots aren't impacted during normal operations,
only when we're under attack. And even then it should be minimal since
while a user might have triggered a few of the score rules, the bot
would have hopefully triggered more.

Full ack here. This is a difficult topic which can create a lot of
headache.

Do you think to use one of the sample like DeviceAtlas or 51 or a more
specific solution?

Do you think about to use SPOE for the detection to offload the check
mechanism?

If this question / answers are some business secret then I fully
understand when you can't answer it.

-Patrick

Regards
Aleks

Reply via email to