FastGate is a Layer 7 DDoS protection gateway that combines multiple security mechanisms:
- WebAuthn - Hardware-backed authentication
- Proof-of-Work Challenges - Computational cost for requests
- Threat Intelligence - Federated indicator sharing (STIX/TAXII 2.1)
- Rate Limiting - Per-IP and per-token request throttling
- IP Binding - Trusted proxy validation
Never use the default test keys in production. Generate unique secrets:
# Generate cluster secret (for gossip encryption)
openssl rand -base64 32
# Generate token signing secret
openssl rand -base64 32Update config.production.yaml:
token:
keys:
v1: "YOUR_GENERATED_SECRET_HERE"
cluster:
secret_key: "YOUR_GENERATED_SECRET_HERE"If FastGate runs behind a load balancer or reverse proxy, configure trusted proxy CIDRs to prevent IP spoofing attacks:
server:
trusted_proxies:
- "10.0.0.0/8" # Internal VPC
- "172.16.0.0/12" # Load balancer subnetWithout this configuration, attackers can spoof X-Forwarded-For headers to bypass rate limiting.
AWS ALB/NLB:
aws ec2 describe-network-interfaces --filters "Name=description,Values=*ELB*" \
--query 'NetworkInterfaces[*].PrivateIpAddresses[*].PrivateIpAddress'GCP Load Balancer:
gcloud compute forwarding-rules list --format="value(IPAddress)"NGINX/HAProxy:
# Check the actual connecting IP
grep "X-Forwarded-For" /var/log/nginx/access.log | awk '{print $1}' | sort -userver:
tls_enabled: true
tls_cert_file: "/etc/fastgate/tls/cert.pem"
tls_key_file: "/etc/fastgate/tls/key.pem"
cookie:
secure: true # Requires TLSLet's Encrypt (Recommended):
certbot certonly --standalone -d example.comSelf-Signed (Development Only):
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodeswebauthn:
enabled: true
rp_id: "example.com" # MUST match your domain
rp_name: "Example Application"
rp_origins:
- "https://example.com" # MUST use HTTPS in productionSecurity Notes:
rp_idmust match the domain serving FastGate- Origins must use HTTPS (browsers reject WebAuthn over HTTP except localhost)
- Attestation is validated against the WebAuthn specification
challenge:
difficulty_bits: 16 # Higher = harder (12-20 recommended)
ttl_sec: 60 # Challenge validity window
nonce_rps_limit: 5.0 # Per-IP challenge request rate limitDifficulty Guidelines:
- 12 bits: ~4ms on modern CPU (development)
- 16 bits: ~60ms (production, light protection)
- 18 bits: ~250ms (under attack)
- 20 bits: ~1s (extreme DDoS)
policy:
challenge_threshold: 30 # Score >= 30 triggers challenge
block_threshold: 100 # Score >= 100 blocks immediately
ip_rps_threshold: 100 # Requests per 10s per IP
paths:
- pattern: "^/api/admin"
base: 20 # High-value endpoints get base scoreRisk Score Components:
- Path base: 0-50 (configured per path)
- Mutating methods (POST/PUT/DELETE): +15
- WebSocket upgrade: +10
- Missing User-Agent: +15
- Headless User-Agent: +15
- Missing Accept-Language: +10
- Invalid/expired token: +10
- IP RPS exceeded: +0-30 (proportional)
- Threat Intel match: +0-50 (based on confidence)
- Under Attack mode: +15
✅ Challenge Replay Prevention - Challenges consumed before verification ✅ Origin Validation - Explicit origin checks for WebAuthn ✅ Request Smuggling Detection - Dual Content-Length/Transfer-Encoding headers rejected ✅ Open Redirect Prevention - URL decoding to prevent encoding bypasses ✅ Constant-Time Crypto - Prevents timing side-channel attacks ✅ Goroutine Leak Prevention - Timers cleaned up on shutdown ✅ Content-Length Validation - Body size checked before reading ✅ JWT Algorithm Validation - "none" algorithm explicitly rejected ✅ Security Headers - CSP, X-Frame-Options, HSTS, X-Content-Type-Options ✅ Rate Limiter Monitoring - Alerts at 90% capacity
- Network Layer: Trusted proxy validation, IP-based rate limiting
- Application Layer: Challenge/response, risk scoring, JWT validation
- Authentication Layer: WebAuthn with hardware attestation
- Intelligence Layer: TAXII threat feed integration
- Layer 7 DDoS: High request rate attacks, application-level floods
- Credential Stuffing: Automated login attempts
- Bot Traffic: Scrapers, vulnerability scanners
- Account Takeover: Unauthorized access attempts
- Layer 3/4 DDoS: Network floods (use cloud DDoS protection)
- Zero-Day Vulnerabilities: In upstream applications (use WAF)
- Physical Security: Server access (use datacenter security)
- Social Engineering: Phishing, pretexting (use security awareness training)
Attack: Attacker floods server with 10,000 req/s from botnet Mitigation:
- IP RPS limiter triggers at configured threshold (e.g., 100 req/10s)
- Risk score increases, challenge triggered
- Bots fail PoW challenge (16 bits = ~60ms each)
- Effective rate reduced to ~17 req/s per bot
- Threat intel publishes attacker IPs to peer nodes
Attack: Attacker spoofs X-Forwarded-For header
Without Trusted Proxies: ❌ Attack succeeds, rate limiting bypassed
With Trusted Proxies: ✅ XFF ignored from untrusted source, real IP used
Attack: Attacker attempts to register with software authenticator Mitigation:
- Attestation format validated (packed, fido-u2f, etc.)
- Test authenticators rejected if using known test AAGUID
- Origin strictly validated against configured
rp_origins - Challenge consumed before verification (prevents replay)
Attack: Dual Content-Length and Transfer-Encoding headers
Mitigation: Request rejected with warning log before proxying
Attack: return_url=//evil.com or return_url=%2F%2Fevil.com
Mitigation: URL decoded and validated to ensure path-only, same-origin redirect
Instead of storing secrets in config files, use environment variables:
export FASTGATE_TOKEN_SECRET=$(openssl rand -base64 32)
export FASTGATE_CLUSTER_SECRET=$(openssl rand -base64 32)Update config loader to read from environment (custom implementation required).
chmod 600 config.production.yaml # Only owner can read
chown fastgate:fastgate config.production.yamlKubernetes:
apiVersion: v1
kind: Secret
metadata:
name: fastgate-secrets
type: Opaque
data:
token-secret: <base64-encoded-secret>
cluster-secret: <base64-encoded-secret>HashiCorp Vault:
vault kv put secret/fastgate/prod \
token_secret=$(openssl rand -base64 32) \
cluster_secret=$(openssl rand -base64 32)# Rate limit hits (potential attack)
rate(fastgate_rate_limit_hits_total[5m]) > 100
# High block rate (active attack)
rate(fastgate_authz_decision_total{action="block"}[5m]) > 50
# Challenge solve rate (bot detection effectiveness)
fastgate_challenge_solved_total / fastgate_challenge_started_total < 0.5
# High error rate (potential issue)
rate(fastgate_proxy_errors_total[5m]) > 10
- All
blockdecisions with full context - Rate limit violations
- WebAuthn registration failures
- Challenge validation failures
- Threat intel matches
-
Enable Under Attack Mode:
modes: under_attack: true # Adds +15 to all risk scores
-
Increase Challenge Difficulty:
challenge: difficulty_bits: 20 # ~1s per challenge
-
Lower Thresholds:
policy: challenge_threshold: 20 # More aggressive
-
Review Logs:
kubectl logs -f deployment/fastgate | grep "decision=block"
- Export threat intel indicators
- Share with TAXII peers
- Review policy effectiveness
- Update scoring weights if needed
- IP addresses are logged (consider data minimization)
- WebAuthn credentials are hardware-bound (no PII stored)
- Implement data retention policy for logs
- TLS required (Requirement 4.1)
- Strong cryptography (Requirement 3.5/3.6)
- Access control via WebAuthn (Requirement 8.3)
- Logging and monitoring (Requirement 10)
DO NOT open public GitHub issues for security vulnerabilities.
Contact: [email protected] (update this)
Include:
- Detailed description
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- 2025-11-19: Comprehensive security audit (Grade: A)
- 9 critical fixes implemented
- Test key validation enforced
- Trusted proxy validation added
- Constant-time crypto implemented