According to Neustar, in the first half of 2020, the global DDoS attack increased by 151%. Yesterday, a “96-year hacker DDOS attack Gao Em, the server is 5 hours” reported in the network, and today I shared one. Open Source Security Engine – CrowDsec can help you prevent DDoS attacks.

CrowDSec can analyze visitors’s behavior and provide an appropriate response for various attacks, which can resolve any source log and apply a heuristic scheme to identify an aggressive behavior and defend most of the attack categories.

SorfnetWorks is a headquartery technology company that provides customers with high-profile managed servers and DDoS protection solutions that provide examples of CrowDsec operating methods. Sorf’s customers will be affected by more than 10,000 machine zombie networks every day, and find a solution to DDOS attacks.

Although customers have adopted general precautions to mitigate these attacks, such as limit rates, but they are not feasible throughout the attack surface, SorfnetWorks first use Fail2ban (CrowdSec is also inspired by them) to set DDo mitigation strategies for their customers; But the speed is too slow, 50 minutes can only do some log processing, resist the DDoS attack of 7,000 to 10,000 computers.

When using the Rent Zombie Network for DDOS test, an attack from 8600 independent IPs will reach 6700 requests per second, which is captured from server traffic:

Although CrowDSec technology can cope with huge attacks, it can only process approximately 1000 endpoints per second. Thus, the Sorf team made changes to the CrowDsec configuration to significantly increase its throughput, followed by testing, tested 8,000 to 9,000 hosts, with an average of 6,000 to 7,000 per second. Final CrowDsec can have the following results:

Crowdsec extracts 95% of the zombus network in one minute, and the attack is effectively relieved to protect 15 domains from DDOS attacks.

CrowDsec’s processing procedure is divided into 5 steps:

Read the data source (log file, stream, path, message …) Match these signals and behavior (also known as scene) If you detect bad behavior, CrowDSec will take a variety of remedies, such as tissue, return 403, 2FA and other aggressive IPs, triggered scene names and timestamps will then be sent to the CrowdSec management platform (to avoid poisoning and false positives) If verified, this IP will be integrated into block list and continuously distribute to all CrowDsec customers. end

At present, CrowdSec has already starred in GitHub, 85 accumulated branches.

(GitHub Address:, if you are interested in CrowDSec, you can try it.