probably not the first DDoS protection system

[anarcat]

Hi!

Interesting project you have there! But I think I have an objection to the tagline in the github project:

The first open-source DDoS protection system

I believe that is overstating it a little. Gatekeeper might have things that are new, but it's certainly not the first "open source DDoS proection system". For example, on the top of my head, there's at least learn2ban. And, to a certain extent, tools like fail2ban also fall in the category of "DDoS protection systems". That might not be their primary target, but they can be configured as such. In fact, just plain firewall rate limiting (e.g. netfilter and others) could count as a DDoS protection system.

So if you want to make such a bold claim, you need to attach some more specific material to it. Maybe something like "high performance" or "high volume", but otherwise "first" is inaccurate here and just hurts your reputation for people that know about that kind of stuff. :)

But, as I said, really interesting (and probably unique) project nevertheless.

[AltraMayor]

Hi @anarcat,

Thank you for bringing this issue up. Hopefully, this discussion will lead us to a better tagline. This outcome would be wonderful since it would help newcomers. The weakest word in our tagline is "system", and we've chosen it because it carries the implicit meaning of including all needed components to work.

Gatekeeper detects and filters infrastructure DDoS attacks on IPv4 and IPv6 packets. As I learned from Learn2Ban's documentation, it detects abuses for HTTP. Although Fail2Ban supports more protocols, it's blind to common floods and amplification DDoS attacks since these kinds of attacks may not generate log entries. Moreover, these two projects rely on another component to perform the filtering, such as a firewall. This is not to say that these projects cannot augment a Gatekeeper deployment with the threat intelligence that they produce.

People who have Gatekeeper in production have noticed that Gatekeeper goes beyond dealing with DDoS attacks since it does something that we've been calling "network traffic orchestration". For example, a policy may allocate less bandwidth to email or any other traffic less latency sensitive during rush hours, and generously allocate bandwidth to those protocols during no man's hours. Another example is to punish flows that do not behave in a TCP-friendly manner. Given this insight, we foresee future features to enhance this perspective, such as load balancing of flows.

So, why don't we change our tagline to reflect the orchestration insight? Because this insight confuses newcomers more than it helps them. We and everyone that we are aware that deployed Gatekeeper did so to deal with DDoS, not to orchestrate their traffic.