DDoS and DDon'ts
Note: To skip the story and immediately go to the script that will fetch Cloudflare IPs and whitelist them using
ufw, scroll down.
An interesting thing happened today:
Someone contacted one of my clients and told them that he found a catastrophic regex backtracking vulnerability in one of their apps.
This was interesting, because the app is a simple Next.js site that doesn’t use regex.
Also, as far as I could see, Next.js doesn’t have any such vulnerabilities reported against it, so we were curious to figure out what was going on.
My client asked him to demonstrate the vulnerability, and he did.
Sure enough, it brought the service down, but it also brought down the entire server, which was a bit odd.
“Oh well”, I thought, “maybe it took up enough CPU to make the machine unresponsive”.
The reporter then asked for a fee of 6 ETH to give my client information about the vulnerability and how to fix it, and gave references from other services.
He even asked about possibly being hired by my client in a full-time position, to help with security.
Observing the vulnerability first-hand
I wanted to see the request for myself, though, so I could figure out which path it hits, reproduce it, and fix it.
I asked my client to put the reporter in touch with “their security person” (me), so I could ask for another demonstration, this time being ready with logs to see what was going on.
The reporter agreed, and I logged onto the server to look around for