🛡️ Protecting Validator from DDoS Attacks

Understanding the DDoS Threat

What is a DDoS attack? A Distributed Denial of Service (DDoS) attack floods your server with excessive traffic, making it unavailable.

Types of DDoS attacks:

Network-layer attacks (L3-L4, volumetric attacks) – Overloading bandwidth (UDP flood, SYN flood).
Transport-layer attacks (L4) – Exhausting connections (TCP flood, Slowloris).
Application-layer attacks (L7, HTTP flood) – Overloading APIs and RPC endpoints.

Network-Level Protection (L3-L4)

At the network level, you need to limit malicious traffic.

Configuring Firewalls (UFW, iptables)

UFW (Uncomplicated Firewall)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 26656/tcp  # Open port for P2P (example for Cosmos SDK)
sudo ufw enable

iptables (Advanced option)

# Blocking UDP flood
sudo iptables -A INPUT -p udp --dport 26656 -m limit --limit 10/s --limit-burst 20 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 26656 -j DROP

# SYN flood protection
sudo iptables -A INPUT -p tcp --syn --dport 26656 -m limit --limit 10/s --limit-burst 20 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn --dport 26656 -j DROP

Rate Limiting (Restricting Requests)

Fail2Ban can automatically ban suspicious IPs.

sudo apt install fail2ban -y
sudo nano /etc/fail2ban/jail.local

Add:

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600

Apply changes:

sudo systemctl restart fail2ban

Protecting Network Infrastructure

Using Cloudflare or Another CDN

Cloudflare or Radware helps filter malicious traffic.

How to set up Cloudflare?

Register on Cloudflare.
Add your domain.
Enable "Under Attack Mode".
Restrict API access to trusted IPs only.

Setting Up Reverse Proxy (NGINX)

Why use it? NGINX can hide your real IP and limit requests.

Example config for L7 attack protection:

server {
    listen 80;
    server_name validator.example.com;

    location / {
        proxy_pass http://localhost:26657;
        proxy_set_header X-Real-IP $remote_addr;
        limit_req zone=one burst=5 nodelay;
    }

    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
}

Apply the config:

sudo systemctl restart nginx

Monitoring and Automated Response

Installing CrowdSec

CrowdSec detects and blocks attacks.

curl -fsSL https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec -y

Monitoring Load (Prometheus + Grafana)

Install Prometheus:

sudo apt install prometheus -y

Install Grafana and set up dashboards.

Additional Security Measures

Restrict access by IP – Allow access only from trusted IPs.
Use VPN (WireGuard, OpenVPN) – Hide your validator’s real IP.
Separate RPC and P2P networks – Don’t run everything on a single server.

Previous💽 Ledger for Validator Key Management Next🧩Multi-Factor Authentication (MFA) for a Validator

Last updated 11 months ago

hashtagUnderstanding the DDoS Threat

hashtagNetwork-Level Protection (L3-L4)

hashtagConfiguring Firewalls (UFW, iptables)

hashtagRate Limiting (Restricting Requests)

hashtagProtecting Network Infrastructure

hashtagUsing Cloudflare or Another CDN

hashtagSetting Up Reverse Proxy (NGINX)

hashtagMonitoring and Automated Response

hashtagInstalling CrowdSec

hashtag Monitoring Load (Prometheus + Grafana)

hashtagAdditional Security Measures