secubox-openwrt/DOCS/DDOS-PROTECTION.md

# SecuBox DDoS Protection Guide

SecuBox provides **multi-layered DDoS protection** suitable for home, SOHO, and SMB deployments. This document describes the protection mechanisms and configuration options.

## Protection Layers Overview

| Layer | Component | Attack Types Mitigated |
|-------|-----------|------------------------|
| **L3** | OpenWrt Firewall | SYN flood, ICMP flood, IP spoofing |
| **L4** | nftables/iptables | Connection floods, port scans |
| **L4** | CrowdSec | Distributed attack detection |
| **L7** | HAProxy | HTTP flood, slowloris, request bombing |
| **L7** | mitmproxy WAF | Application-layer floods, bot attacks |
| **DNS** | Vortex Firewall | Botnet C2, DNS amplification |
| **Intel** | CrowdSec CAPI | Shared threat intelligence (50k+ nodes) |

## Layer 3/4 Protection

### SYN Flood Protection

OpenWrt firewall includes SYN cookies and SYN flood protection:

```bash
# Check current status
cat /proc/sys/net/ipv4/tcp_syncookies

# Enable via UCI
uci set firewall.@defaults[0].synflood_protect='1'
uci commit firewall
/etc/init.d/firewall restart
```

### Connection Tracking Limits

Increase conntrack table size for high-traffic scenarios:

```bash
# Check current limits
cat /proc/sys/net/netfilter/nf_conntrack_max
cat /proc/sys/net/netfilter/nf_conntrack_count

# Increase limit (add to /etc/sysctl.conf)
echo "net.netfilter.nf_conntrack_max=131072" >> /etc/sysctl.conf
sysctl -p
```

### Anti-Spoofing (Reverse Path Filter)

```bash
# Enable RP filter
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Persist in /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysctl.conf
```

### ICMP Rate Limiting

```bash
# Limit ICMP responses (prevent ping flood amplification)
echo 1000 > /proc/sys/net/ipv4/icmp_ratelimit
echo 50 > /proc/sys/net/ipv4/icmp_msgs_per_sec
```

### Drop Invalid Packets

```bash
uci set firewall.@defaults[0].drop_invalid='1'
uci commit firewall
/etc/init.d/firewall restart
```

## CrowdSec Protection

CrowdSec provides behavior-based detection and collaborative threat intelligence.

### Install DDoS Collections

```bash
# HTTP flood detection
cscli collections install crowdsecurity/http-dos

# Base HTTP attack detection
cscli collections install crowdsecurity/base-http-scenarios

# Nginx/HAProxy specific
cscli collections install crowdsecurity/nginx
cscli collections install crowdsecurity/haproxy

# Restart to apply
/etc/init.d/crowdsec restart
```

### CrowdSec Scenarios for DDoS

| Scenario | Description | Ban Duration |
|----------|-------------|--------------|
| `crowdsecurity/http-dos-swithcing-ua` | Rapid user-agent switching | 4h |
| `crowdsecurity/http-generic-bf` | Generic HTTP bruteforce | 4h |
| `crowdsecurity/http-slow-bf` | Slowloris-style attacks | 4h |
| `crowdsecurity/http-crawl-non_statics` | Aggressive crawling | 4h |

### View Active Protections

```bash
# List installed scenarios
cscli scenarios list

# View active decisions (bans)
cscli decisions list

# View real-time metrics
cscli metrics
```

## HAProxy Rate Limiting

HAProxy provides connection and request rate limiting for published services.

### Global Connection Limits

Add to `/etc/haproxy/haproxy.cfg`:

```haproxy
global
    maxconn 4096

defaults
    maxconn 2000
    timeout connect 5s
    timeout client 30s
    timeout server 30s
```

### Per-Backend Rate Limiting

```haproxy
frontend https_in
    bind *:443 ssl crt /etc/haproxy/certs/

    # Rate limit: 100 requests/10s per IP
    stick-table type ip size 100k expire 30s store http_req_rate(10s)
    http-request track-sc0 src
    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }

    # Slow down aggressive clients
    http-request tarpit if { sc_http_req_rate(0) gt 50 }
```

### Connection Queue (Absorb Spikes)

```haproxy
backend myapp
    server app1 192.168.255.1:8080 maxconn 100 maxqueue 500
```

## mitmproxy L7 WAF

mitmproxy inspects HTTP/HTTPS traffic and detects application-layer attacks.

### Flood Detection

The `secubox_analytics.py` addon detects:
- Request rate spikes per IP
- Abnormal request patterns
- Bot signatures
- Automated scanning tools

### Enable WAF

```bash
# Start mitmproxy container
/etc/init.d/mitmproxy start

# Check status
mitmproxyctl status
```

### View Detected Threats

```bash
# Recent threats
tail -f /srv/mitmproxy/threats.log

# Threat statistics
mitmproxyctl stats
```

## Vortex DNS Firewall

Vortex blocks known botnet C2 domains and malware distribution sites at the DNS level.

### Enable Protection

```bash
# Update threat intelligence feeds
vortex-firewall intel update

# Start protection
vortex-firewall start

# Check stats
vortex-firewall stats
```

### Blocked Categories

- Malware distribution domains
- Botnet C2 servers (Mirai, Gafgyt, etc.)
- Phishing domains
- Cryptominer pools

## InterceptoR Insider WAF

The InterceptoR Insider WAF detects DDoS participation from compromised LAN devices:

- **C2 beacon detection** - Identifies infected devices calling home
- **DNS tunneling** - Detects data exfiltration via DNS
- **IoT botnet patterns** - Mirai, Gafgyt, Mozi signatures
- **Cryptominer activity** - Mining pool connections

### Check Insider Threats

```bash
# View InterceptoR status
ubus call luci.interceptor status

# Check for insider threats in logs
grep "insider" /srv/mitmproxy/threats.log
```

## Config Advisor DDoS Profile

Run the DDoS-specific compliance check:

```bash
# Run all checks including DDoS
config-advisorctl check

# Run DDoS checks only
config-advisorctl check --category ddos

# Auto-remediate DDoS issues
config-advisorctl remediate --category ddos
```

### DDoS Check Rules

| Rule ID | Check | Severity |
|---------|-------|----------|
| DDOS-001 | SYN cookies enabled | High |
| DDOS-002 | Connection tracking limit | Medium |
| DDOS-003 | CrowdSec http-dos installed | High |
| DDOS-004 | ICMP rate limiting | Medium |
| DDOS-005 | Reverse path filtering | High |
| DDOS-006 | HAProxy connection limits | Medium |
| DDOS-007 | mitmproxy WAF active | Medium |
| DDOS-008 | Vortex DNS firewall | Medium |

## Limitations

SecuBox is designed for home/SMB scale. It **cannot**:

- Absorb volumetric attacks larger than your WAN bandwidth
- Provide Anycast/CDN distribution
- Act as a scrubbing service

### For Serious DDoS Protection

Consider adding upstream protection:

1. **Cloudflare** - Free tier includes basic DDoS protection
2. **Cloudflare Spectrum** - TCP/UDP proxy for non-HTTP services
3. **AWS Shield** - If hosting on AWS
4. **OVH Anti-DDoS** - If using OVH hosting

### Hybrid Setup

```
Internet → Cloudflare (L3/L4/L7 scrubbing) → SecuBox (L7 WAF + insider detection)
```

## Quick Hardening Checklist

```bash
# 1. Enable firewall protections
uci set firewall.@defaults[0].synflood_protect='1'
uci set firewall.@defaults[0].drop_invalid='1'
uci commit firewall

# 2. Install CrowdSec DDoS collection
cscli collections install crowdsecurity/http-dos

# 3. Enable kernel protections
cat >> /etc/sysctl.conf << 'EOF'
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_ratelimit=1000
net.netfilter.nf_conntrack_max=131072
EOF
sysctl -p

# 4. Start Vortex DNS firewall
vortex-firewall intel update
vortex-firewall start

# 5. Verify with Config Advisor
config-advisorctl check --category ddos
```

## Monitoring During Attack

```bash
# Real-time connection count
watch -n 1 'cat /proc/sys/net/netfilter/nf_conntrack_count'

# CrowdSec activity
watch -n 5 'cscli metrics'

# Active bans
cscli decisions list

# HAProxy stats (if enabled)
echo "show stat" | socat stdio /var/run/haproxy.sock

# mitmproxy threats
tail -f /srv/mitmproxy/threats.log
```

## Related Documentation

- [InterceptoR Overview](../package/secubox/luci-app-interceptor/README.md)
- [CrowdSec Dashboard](../package/secubox/luci-app-crowdsec-dashboard/README.md)
- [Vortex DNS Firewall](../package/secubox/VORTEX-DNS-FIREWALL.md)
- [Config Advisor](../package/secubox/secubox-config-advisor/README.md)