Getting Started

In order to install HaltDos on your application servers, you must sign up on our website, create a new application and get your application id. This application id should be used for all the instances running the same application.

NOTE: Haltdos currently supports Linux based distributions. To know more about the supported platform, see section supported platforms.


1. Introduction



1.1 Quick Start

Sign up on our website and generate your application id. An application can contain multiple instances running the same program(s). Every instance has a unique identification called instance id that is automatically generated. This instance id allows us to monitor and track the status of each instance. It is also used to aggregate metrics of the entire application. It is essential for the users to provide the correct application Id for the instances to avoid mixing metrics from multiple applications.

Once you have generated the application id, follow the steps in Installation to deploy haltdos on your application servers.


1.2 How it works

Haltdos is a small software (700KB) that intercepts all the traffic between the network interface card and the kernel TCP/IP stack. It acts as a filter and drops bad traffic targeted at your website allowing your application to process only legitimate user traffic. It will also monitor the response from the application servers to verify the health of the application itself. Haltdos is agnostic to the application running on the application server. Hence, it doesn't matter if you are running Tomcat / Nginx / Httpd or Java / Ruby / Python / Perl / C/C++ based application. However, haltdos currently only filters TCP traffic. The solution only collects metrics such as incoming packets / bytes, no, of HTTP requests, etc and does real time processing on your application itself. You can see all the metrics about your application as well as the health of individual servers on our website.

By default, haltdos is configured to work well within constraints of an application server with 1GB RAM and 1 CPU core. If you wish to run haltdos on a more powerful server, it is recommended to change the configuration appropriately. In our tests, a powerful application server (4GB RAM, 4 CPU cores) with haltdos can easily handle over 1 Gbps of attack traffic. Actual throughput also depends upon the attached network interface card (NIC) and the performance of the application running on the server.

Your application servers can be hosted in any data center. However, all the configuration changes and customizations can only be done through our website. To deploy HaltDos inside your data center, please contact sales: sales@haltdos.com.


2. Installation



Step 1: Create a HaltDos account

  1. Go to https://app.haltdos.com
  2. Click on Request Invite on the top right corner.
  3. Enter your name, email & password, agree to the Terms of Service & Privacy Policy and click on Request Invite.
  4. An activation email is sent to your entered email ID. Click on the activation link in the received email to activate your account.
Step 2: Create an Application

  1. Go to our website and login with your email and password.
  2. If you've not created an application, you'll be asked to add an application.
  3. Enter the application name and click on Create Application
  4. Upon successful creation of your application, you'll be redirected to your application's dashboard.

2.1 Amazon Web Services (AWS)

  1. To install HaltDos to protect your web app hosted on AWS using elastic beanstalk, we use ebextensions(To know more click here)
  2. Log in to https://app.haltdos.com and note the <APPLICATION ID> from the URL. The URL structure is
  3. https://app.haltdos.com/app/<APPLICATION ID>/...
  4. Create a file with name 01_haltdos_setup.config and write the following code in the file.
  5. commands:
      install_haltdos:
        command: "wget https://download.haltdos.com/scripts/setup.sh -O setup.sh && sh setup.sh"
        cwd: /tmp
        env:
          HD_APPLICATION_ID: "<APPLICATION ID>"
        ignoreErrors: false
    											
  6. Add the 01_haltdos_setup.config file to a folder named .ebextensions in the root of your source and deploy it to your Beanstalk environment.
  7. Congratulations! Your website is now secure.
NOTE: As we are deploying using elastic beanstalk configuration, so it automatically takes care of Auto Scaling. Whenever a new instance is created, it will have HaltDos installed.

2.2 Others

  1. To install haltdos on your own servers or servers hosted on other platforms, you simply have to download and run a shell script.
  2. Log in to https://app.haltdos.com and note the <APPLICATION ID> from the URL. The URL structure is
  3. https://app.haltdos.com/app/<APPLICATION ID>/...
  4. SSH into your server or login & open terminal.
  5. Run the following commands in your terminal to download and install haltdos:
  6. wget https://download.haltdos.com/scripts/setup.sh -O /tmp/setup.sh;
    sudo sh /tmp/setup.sh <APPLICATION ID>;
    											
  7. Kudos! Your server is now secure.

3. Configuring Security

3.1 User Permissions

Location: Home > Settings > User Access Rights

These are the settings which could be used to change user access, to add, edit or delete other users. These settings require the name, email address user access, and a default password. How to use this setting:

  1. To add a user click on the "ADD USER" provide the required fields and click on "ADD USER" button provided in the modal.
  2. To edit a user click on the edit icon provided in the table and change the required field and click on "EDIT USER" button provided in the modal.
  3. To delete a user click on the delete icon provided in the table and confirm the action by clicking on "DELETE USER" button provided in the modal.
Following are the permissions which could be assigned to a user :
  1. Administrator: User with the permissions of an Administrator account have the privilege of accessing all the visible sections of UI. This User can add applications, register instances, set alarms, monitor the system, change the configuration and add, edit or delete other users.
  2. Network analyst: User with the permissions of a Network Analyst account cannot change the configurations or add/edit users. A User can only monitor the system and set alarms.
  3. Security analyst: User with the permissions of a Security Analyst account cannot add/edit other users. A User can change the configuration and set alarms.
  4. Visitor: User with the permissions of a Visitor account cannot perform any action on the UI. This type of user is only permitted to monitor the system.

3.2 DDoS Protection

Location: Home > Settings > DDoS Protection

These settings are used for setting the system behaviour from the protection from DDoS attacks. DDoS protection settings are used for defining configurations for various DDoS mitigations. To update the settings go to the field update the value and click on SAVE CHANGES button provided in the section.
Following are settings which could be configured by the users:

  1. GENERAL SECURITY SETTINGS:
    1. BlackListed IP Prefixes: Blocks inbound traffic coming from the specified Source IP range. The user can specify the IPs for which all the traffic will be blocked. Required format: a.b.c.d/(8-32). To update this setting add the IP in the given format and press enter, the IP is now added to the list. Click "Save changes" to save the new setting.
    2. WhiteListed IP Prefixes: Bypass inbound traffic coming from the specified Source IP ranges. The user can specify the IPs for which all the traffic will be bypassed from all the mitigations provided by the system. Required format: a.b.c.d/(8-32). To update this setting add the IP in the given format and press enter, the IP is now added to the list. Click "Save changes" to save the new setting.
    3. Traffic Rate Limits: Represents Maximum allowed inbound traffic in Megabits per second (Mbps). This setting rate limits the traffic incoming to the service with the value provided by the user. To update this setting enter the maximum rate required in Mbps and click on "SAVE CHANGES" button.
    4. Temporary BlackList duration: Represents the max duration up to which a source IP should be blacklisted for misbehavior. This setting blocks all the traffic coming from the misbehaving IPs for the specified duration of time. To update this setting, provide the duration in seconds and click on "SAVE CHANGES" button.
  2. CONNECTION SETTINGS:
    1. Max concurrent connections: Represents the maximum concurrent TCP connections your application servers can handle. This setting is required for handling connection flood and TCP SYN flood attacks.To update this setting, provide maximum connection supported by your service and click on "SAVE CHANGES" button.
    2. Concurrent connections per source: Limits the maximum number of simultaneous TCP connections any source IP can establish with your application servers. The user can define the maximum number connections for ant source IP, any connection request beyond the specified limit is dropped. To update this setting, provide the number of connections and click on "SAVE CHANGES" button. Set 0 to disable mitigation.
    3. Aggressive Aging: Enables Aggressive Aging for protecting against TCP Connection flood attacks. This enables the system to terminate connections which are older than the specified value.
    4. Connection expiry duration: Represents Time after which the TCP connection will be considered stale and will be scheduled for deletion. To update this setting enable/disable the Aggressive Aging, then specify the time duration and click on "SAVE CHANGES" button.
  3. HTTP SETTINGS:
    1. HTTP requests per source: It represents the maximum number of requests by a source IP allowed. The user can specify this value to limit the number of requests per source Ip to the specified value. To update this setting, update provided field and click on "SAVE CHANGES" button. Set 0 to disable mitigation.
    2. Progressive challenge threshold: It represents the maximum requests by a source IP after which it is validated by Progressive Challenge. The user can specify the number of requests per source IP after which an IP is required to prove that it is not a bot. To update this setting, specify the number of requests per sources and click on "SAVE CHANGES" button. Set 0 to disable mitigation.
    3. Minimum TCP Payload Length: Represents the minimum TCP Payload Length value in a connection, below which the connection will be terminated. This setting is required for Low and Slow TCP DDoS attacks which send very low rate of data packets. To update this setting, specify the minimum TCP payload length and click on "SAVE CHANGES" button. Set 0 to disable mitigation.
    4. Minimum HTTP Incomplete Header Length: Represents the minimum incomplete HTTP header length of the incoming TCP Packet, below which the connection will be dropped. This setting is required for Slow HTTP header DDoS attacks which send incomplete HTTP requests with incomplete HTTP header. To update this setting, specify the header length and click on "SAVE CHANGES" button. Set 0 to disable mitigation.
    5. HTTP flood protection: Enables HTTP flood protection for any destination URL.
    6. HTTP request limit by URL: Represents maximum HTTP requests per Host and URL per second. To update this setting, enable HTTP flood protection, specify the number of requests per URL and click on "SAVE CHANGES" button. Set 0 to disable mitigation.
    7. Default HTTP requests per second: Represents maximum HTTP requests for any URL per second. Overrides for specific Host and URL using the configure button. Steps to update this setting.
      1. Click on "CONFIGURE" button
      2. Set HTTP method for limiting the number of requests
      3. Set HTTP host for limiting the number of requests
      4. Set HTTP URL for limiting the number of requests
      5. Set number of requests allowed for the specified Method, Host and URL
      6. Click on "SAVE CHANGES" button.
  4. CUSTOM RULES :

    Custom rules can be defined to determine the fate of incoming packets from the internet matching the rules. The following must be noted about rule matching:

    1. Rules are Ordered List as per the priority
    2. Maximum 256 rules are supported by the system
    3. Rules consists of one or more conditions
    4. A Rule is said to be matched if all the conditions comprising the rule match
    5. A condition consists of attribute and their values. If any of the values of an attribute is defined in the condition, the condition is considered a match.

    How to add a RULE:
    1. Click on "ADD RULE" button.
    2. Enter the rule name and description.
    3. Add the conditions by clicking on "ADD CONDITION".
    4. Select the protocol for which the condition should be matched. Example "IPv4"
    5. Select a field. Example "SRC IP" (source IP)
    6. Select a Criteria. Example "EQUALS"
    7. Specify the value. Example "192.168.1.1"
    8. Click on "SAVE CONDITION" button.
    9. To save the rule click on "SAVE RULE" button
    10. To update the setting click on "SAVE CHANGES" button

3.3 Application Firewall

Location: Home > Settings > Application Firewall

These are the settings for the web application firewall (WAF) for HTTP applications. It applies a set of rules to an HTTP conversation. Custom rules can be defined to determine the fate of incoming requests from the internet matching the rules.
The following must be noted about firewall rules:

  1. Rules are Ordered List as per the priority
  2. Maximum 256 rules are supported by the system
  3. Rules consists of matching pattern which could be a string or a regex
  4. Rules consist of Location and their exception where the specified pattern should be/shouldn"t be matched.
  5. A Rule is said to be matched if the pattern is matched in any of the locations present rule match

How to add a firewall rule:
  1. Click on "ADD RULE" button.
  2. Enter the name and description of the rule and click on "CONTINUE" button.
  3. Enter the pattern and pattern type. Example pattern : "/" type: STRING
  4. Select when to perform an action (If Matched/ If Not Matched)
  5. Select an Action and click on "CONTINUE" button. Example "LOG REQUEST"
  6. Specify a URL (optional) if the pattern is to be matched for HTTP Requests coming to the specified URL.
  7. Select the Locations where the pattern should match. Example "HEADER" (HTTP headers) and click on "CONTINUE" button.
  8. Add exception for the selected locations (optional) and click on "SAVE" button.
  9. To update the setting click on "SAVE CHANGES" button.

4. Supported Platforms

4.1 Platforms
It has been tested on following platforms and it should also support other Linux platforms. For queries, contact support at:
info@haltdos.com.

  1. Ubuntu 14.04, 16.04
  2. Fedora 25
  3. Amazon Linux

5. Uninstallation

Recommended Method:

  1. Log in to https://app.haltdos.com
  2. Select the application whose instance you want to delete.
  3. Go to instances in the sidebar and delete the instance.
Alternative Method:

To remove the setup from your system, run the following command:

For Debian: sudo apt-get purge -y haltdos
For Others: sudo yum -y remove haltdos