SSRF protection

[simonfrey]

We need to protect the server from being missued, e.g. in an amplification attack.
Currently I have no idea how to do that, appart from IP logging and blocking to many requests from one IP which could be circumvented quite easy and also would require the server to store user data, what I do not want :/

If anyone has ideas on that front, it would be awesome to get them here :D

[simonfrey]

Cheat sheet for SSRF https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html#case-2---application-can-send-requests-to-any-external-ip-address-or-domain-name

[simonfrey]

One metric could be to allow only X percentage increase of traffic to a certain site.

E.g. bit.ly normally receives 10 requests/sec do only allow spikes like 3x the the normal traffic 30 req/sec

This could be a problem if overall the traffic on the site increases, but a global factor could work here:
If the overall traffic increases 20%, allow 3x10x1.2=36 request max per second for bitly.

This feature would require more in-depth tracking on link traffic bases. This is no problem for privacy as it is not required to store any userdata to fullfill this metric

[Madydri]

CSF (free but not opensource software) can setup iptables firewall rules settings for that ?
Maybe mod_evasive for apache can help ?