Mitigating of DDos Attacks

The Aspire app needs to be set up to mitigate DDoS attacks and other similar issues related to security findings (Jira vulnerability issue.)

A quick and straightforward solution can be done by a Nginx server, which is set up as a proxy server for Aspire.

Aspire should not be available outside the website directly, but always using Nginx or a similar technology (Apache, AWS WAF, etc.)

Nginx will be set up as a proxy server with HTTPS certificates, request limit and other necessary security.

Internally, Aspire 5 and internals apps can be connected directly (localhost:50505).

We will avoid with this approach to have some limitations between internal applications.

Prerequisite:

Install Nginx server

Install Aspire 5

Limiting the Rate of Requests

You can limit the rate at which NGINX accepts incoming requests to a value typical for real users. For example, you might decide that a real user accessing a login page can only make a request every 1 second.

You can configure NGINX to allow a single client IP address to attempt POST requests to API endpoints only every 1 second (equivalent to 60 requests per minute):

To enable POST requests limitations, open nginx.conf and put:

   http {
 # Maps ip address to $limit variable if request is of type POST
    map $request_method $limit {
    default         "";
    POST            $binary_remote_addr;
  }
# Creates 10mb zone in memory for storing binary ips and limit requests to 60 per minute.
 limit_req_zone $limit zone=one:10m rate=60r/m;
...
	server {
        ...
        location / {
            ...
		#limit post request 60 requests per minutes
		limit_req zone=one;
		
        }
}

Limiting the Number of Connections

You can limit the number of connections that can be opened by a single client IP address, again to a value appropriate for real users. For example, you can allow each client IP address to open no more than 10 connections to the ASPIRE 5 area:

server {
    # ...
    location / {
        limit_conn addr 10;
        # ...
    }
}

More can be found directly in Nginx documentation .

Configuring HTTPS

To configure an HTTPS connection needs to be prepared SSL certifications for the current domain or IP, here is example only for localhost.

server {
        
	  listen       443 ssl;
        server_name  localhost;
        keepalive_timeout   70;

        ssl_certificate      certs/localhost.crt;
        ssl_certificate_key  certs/localhost.rsa;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
		
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5
...
}

More can be found directly in the Nginx documentation.