🛡️ Protecting Validator from DDoS Attacks

Understanding the DDoS Threat

What is a DDoS attack? A Distributed Denial of Service (DDoS) attack floods your server with excessive traffic, making it unavailable.

Types of DDoS attacks:

Network-layer attacks (L3-L4, volumetric attacks) – Overloading bandwidth (UDP flood, SYN flood).
Transport-layer attacks (L4) – Exhausting connections (TCP flood, Slowloris).
Application-layer attacks (L7, HTTP flood) – Overloading APIs and RPC endpoints.

Network-Level Protection (L3-L4)

At the network level, you need to limit malicious traffic.

Configuring Firewalls (UFW, iptables)

UFW (Uncomplicated Firewall)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 26656/tcp  # Open port for P2P (example for Cosmos SDK)
sudo ufw enable

iptables (Advanced option)

# Blocking UDP flood
sudo iptables -A INPUT -p udp --dport 26656 -m limit --limit 10/s --limit-burst 20 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 26656 -j DROP

# SYN flood protection
sudo iptables -A INPUT -p tcp --syn --dport 26656 -m limit --limit 10/s --limit-burst 20 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn --dport 26656 -j DROP

Rate Limiting (Restricting Requests)

Fail2Ban can automatically ban suspicious IPs.

sudo apt install fail2ban -y
sudo nano /etc/fail2ban/jail.local

Add:

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600

Apply changes:

sudo systemctl restart fail2ban

Protecting Network Infrastructure

Using Cloudflare or Another CDN

Cloudflare or Radware helps filter malicious traffic.

How to set up Cloudflare?

Add your domain.
Enable "Under Attack Mode".
Restrict API access to trusted IPs only.

Setting Up Reverse Proxy (NGINX)

Why use it? NGINX can hide your real IP and limit requests.

Example config for L7 attack protection:

server {
    listen 80;
    server_name validator.example.com;

    location / {
        proxy_pass http://localhost:26657;
        proxy_set_header X-Real-IP $remote_addr;
        limit_req zone=one burst=5 nodelay;
    }

    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
}

Apply the config:

sudo systemctl restart nginx

Monitoring and Automated Response

Installing CrowdSec

CrowdSec detects and blocks attacks.

curl -fsSL https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec -y

Monitoring Load (Prometheus + Grafana)

Install Prometheus:

sudo apt install prometheus -y

Install Grafana and set up dashboards.

Additional Security Measures

Restrict access by IP – Allow access only from trusted IPs.
Use VPN (WireGuard, OpenVPN) – Hide your validator’s real IP.
Separate RPC and P2P networks – Don’t run everything on a single server.

Previous🔑 Horcrux Next🧩Multi-Factor Authentication (MFA) for a Validator

Last updated 3 months ago

# Blocking UDP flood sudo iptables -A INPUT -p udp --dport 26656 -m limit --limit 10/s --limit-burst 20 -j ACCEPT sudo iptables -A INPUT -p udp --dport 26656 -j DROP # SYN flood protection sudo iptables -A INPUT -p tcp --syn --dport 26656 -m limit --limit 10/s --limit-burst 20 -j ACCEPT sudo iptables -A INPUT -p tcp --syn --dport 26656 -j DROP

server { listen 80; server_name validator.example.com; location / { proxy_pass http://localhost:26657; proxy_set_header X-Real-IP $remote_addr; limit_req zone=one burst=5 nodelay; } limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; }