H2O

the optimized HTTP/1.x, HTTP/2, HTTP/3 server

Powered by Oktavia

Configure > Using DoS Detection

Starting from version 2.1, H2O comes with a mruby script named dos_detector.rb that implements DoS Detection feature. The script provides a Rack handler that detects HTTP flooding attacks based on the client's IP address.

Basic Usage

Below example uses the mruby script to detect DoS attacks. The default detecting strategy is simply counting requests within configured period. If the count exceeds configured threshold, the handler returns a 403 Forbidden response. Otherwise, the handler returns a 399 response, and the request is delegated internally to the next handler.

Example. Configuring DoS Detection
paths:
  "/":
    mruby.handler: |
      require "dos_detector.rb"
      DoSDetector.new({
        :strategy => DoSDetector::CountingStrategy.new({
          :period     => 10,  # default
          :threshold  => 100, # default
          :ban_period => 300, # default
        }),
      })
    file.dir: /path/to/doc_root

In the example above, the handler countup the requests within 10 seconds for each IP address, and when the count exceeds 100, it returns a 403 Forbidden response for the request and marks the client as "Banned" for 300 seconds. While marked as "Banned", the handler returns a 403 Forbidden to all requests from the same IP address.

Configuring Details

You can pass the following parameters to DoSDetector.new .

Example. Configuring Details
paths:
  "/":
    mruby.handler: |
      require "dos_detector.rb"
      DoSDetector.new({
        :strategy => DoSDetector::CountingStrategy.new,
        :forwarded => false,
        :cache_size => 2048,
        :callback => proc {|env, detected, ip|
          if detected && ! ip.start_with?("192.168.")
            [503, {}, ["Service Unavailable"]]
          else
            [399, {}, []]
          end
        }
      })
    file.dir: /path/to/doc_root

Points to Notice