# 🛡️ Protecting Validator from DDoS Attacks ### Understanding the DDoS Threat **What is a DDoS attack?**\ A Distributed Denial of Service (DDoS) attack floods your server with excessive traffic, making it unavailable. **Types of DDoS attacks:** * **Network-layer attacks (L3-L4, volumetric attacks)** – Overloading bandwidth (UDP flood, SYN flood). * **Transport-layer attacks (L4)** – Exhausting connections (TCP flood, Slowloris). * **Application-layer attacks (L7, HTTP flood)** – Overloading APIs and RPC endpoints. ### Network-Level Protection (L3-L4) At the network level, you need to limit malicious traffic. #### Configuring Firewalls (UFW, iptables) **UFW (Uncomplicated Firewall)** ```bash sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow 26656/tcp # Open port for P2P (example for Cosmos SDK) sudo ufw enable ``` **iptables (Advanced option)** ```bash # Blocking UDP flood sudo iptables -A INPUT -p udp --dport 26656 -m limit --limit 10/s --limit-burst 20 -j ACCEPT sudo iptables -A INPUT -p udp --dport 26656 -j DROP # SYN flood protection sudo iptables -A INPUT -p tcp --syn --dport 26656 -m limit --limit 10/s --limit-burst 20 -j ACCEPT sudo iptables -A INPUT -p tcp --syn --dport 26656 -j DROP ``` #### Rate Limiting (Restricting Requests) **Fail2Ban** can automatically ban suspicious IPs. ```bash sudo apt install fail2ban -y sudo nano /etc/fail2ban/jail.local ``` Add: ``` [sshd] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 5 bantime = 3600 ``` Apply changes: ```bash sudo systemctl restart fail2ban ``` *** ### Protecting Network Infrastructure #### Using Cloudflare or Another CDN Cloudflare or Radware helps filter malicious traffic. **How to set up Cloudflare?** 1. Register on [Cloudflare](https://www.cloudflare.com/). 2. Add your domain. 3. Enable **"Under Attack Mode"**. 4. Restrict API access to trusted IPs only. #### Setting Up Reverse Proxy (NGINX) **Why use it?**\ NGINX can hide your real IP and limit requests. **Example config for L7 attack protection:** ```nginx server { listen 80; server_name validator.example.com; location / { proxy_pass http://localhost:26657; proxy_set_header X-Real-IP $remote_addr; limit_req zone=one burst=5 nodelay; } limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; } ``` Apply the config: ```bash sudo systemctl restart nginx ``` *** ### Monitoring and Automated Response #### Installing CrowdSec CrowdSec detects and blocks attacks. ```bash curl -fsSL https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash sudo apt install crowdsec -y ``` #### Monitoring Load (Prometheus + Grafana) 1. Install **Prometheus**: ```bash sudo apt install prometheus -y ``` 2. Install **Grafana** and set up dashboards. *** ### Additional Security Measures * **Restrict access by IP** – Allow access only from trusted IPs. * **Use VPN (WireGuard, OpenVPN)** – Hide your validator’s real IP. * **Separate RPC and P2P networks** – Don’t run everything on a single server. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://services.validexis.com/validator-security-our-approach-and-protection-measures/protecting-validator-from-ddos-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.