View Source PhoenixDDoS (PhoenixDDoS v0.7.13)
phoenix_ddos is a high performance application-layer DDoS protection for Elixir Phoenix.
Installation
- Add
:phoenix_ddosto your list of dependencies inmix.exs:
def deps do
[
{:phoenix_ddos, "~> 0.7"},
# Highly recommended, this will makes sure we get the correct remote_ip
{:remote_ip, "~> 1.1"}
]
end- Add the
PhoenixDDoSplug to your app's Endpoint, after the excellent RemoteIp plug (optional but highly recommended !).
defmodule MyApp.Endpoint do
use Phoenix.Endpoint, otp_app: :my_app
# ...
plug RemoteIp
plug PhoenixDDoS
# ...
endConfiguration
config :phoenix_ddos,
safelist_ips: ["1.2,3,4", "5.6.7.0"],
blocklist_ips: ["11.12.13.0"],
protections: [
# ip rate limit
{PhoenixDDoS.IpRateLimit, allowed: 500, period: {2, :minutes}},
{PhoenixDDoS.IpRateLimit, allowed: 10_000, period: {1, :hour}},
# ip rate limit on specific request_path
{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: ["/graphql"], allowed: 20, period: {1, :minute}}
]| Type | Option | Default | Description |
|---|---|---|---|
| bool | enabled | true | set false to disable |
| int | jail_time (minutes) | 15 | time an ip is fully blocked if caught by a protection. set nil to disable |
| bool | raise_on_reject | false | raise when we reject a connexion instead of returning an http code error |
| int | http_code_on_reject | 429 | http code returned when we reject a connexion |
| list | protections | @see Protections | |
| list | safelist_ips | bypass all protections ips | |
| list | blocklist_ips | always blocked ips |
Ip jail
All protections that trigger a deny of an ip will push said ip into jail.
Jail time ca be configured or disabled globally on per protection.
Motivation
Add layer of protection within your phoenix application. Multi-layered DDoS protection is the best protection !
Nothing exist in Elixir ecosytem, let's create it !
you don't always have access to a ddos protection in between internet and your phoenix application You want advance ddos feature you can't have outside an applicative environment
inspiration: rack-attack
Protections
Examples with PhoenixDDoS.IpRateLimit
500 per minute max, if triggered ip will be in jail for 15 minutes
[{PhoenixDDoS.IpRateLimit, allowed: 500, period: {1, :minute}}]disable jail, ip will only be throttle to 500 per minute
[{PhoenixDDoS.IpRateLimit, allowed: 500, period: {1, :minute}, jail_time: nil}]
Examples with PhoenixDDoS.IpRateLimitPerRequestPath
single route
[{PhoenixDDoS.IpRateLimitPerRequestPath, request_paths: ["/graphql"], allowed: 20, period: {1, :minute}}]you can also give a phoenix-like path
[{PhoenixDDoS.IpRateLimitPerRequestPath, request_paths: ["/admin/:id/dashboard"], allowed: 20, period: {1, :minute}}]multiple route consumming same quota
[{PhoenixDDoS.IpRateLimitPerRequestPath, request_paths: ["/graphql", "/graphiql"], allowed: 20, shared: true, period: {1, :minute}}]multiple route consumming independant quota
[{PhoenixDDoS.IpRateLimitPerRequestPath, request_paths: ["/graphql", "/graphiql"], allowed: 20, period: {1, :minute}}]
is equivalant to:
[
{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: ["/graphql"], allowed: 20, period: {1, :minute}},
{PhoenixDDoS.IpRateLimitPerRequestPath,
request_paths: ["/graphiql"], allowed: 20, period: {1, :minute}}
]Next in roadmap
- self ddos tools
- performance
- feedbacks/alerting
- ip blocklist/safelist with mask/subnet
Summary
Functions
Provide in-iex stats