10

I'm in the process of writting a highly scaleable browser based web chat server using nodejs. The concept involved is simple - first it checks browser for websocket support. If not suported or otherwise is incompatible with the server specs, it simply downgrades gracefully to the traditional long polling.

Taking advantage of its highly evented I/O model, I could not find any other framework out there so far so good and fit as nodejs for this kind of job. However, I have an issue relating to DOS attacks for which I decided to come up with a simple solution. However, I'm not so sure if it would be the most ideal way to combat against those massive flooding attacks.

What I plan do is - if 50 requests or more, originating from a single IP address, hits the server within a specific length of time(say 1 second), then deny all further request from that IP until that specific time interval comes to a lapse and so on.

Is this gonna be okay?

Kriem
  • 8,666
  • 16
  • 72
  • 120
spaceman12
  • 1,039
  • 11
  • 18
  • +1 - Perhaps I just haven't looked but nobody seems to have touched much on the issue of Node DoS attacks. – Bojangles Feb 07 '13 at 16:19
  • One thing I found out that's very handy is to use the setTimeout function to lower the timeouts on all incoming and outgoing connections. The default is two minutes. If something goes wrong, that's two minutes of having to keep connection resources around when you should just throw them away. 10-20 seconds works much better. – Erin May 11 '13 at 05:09

1 Answers1

5

This doesn't deal with DDOS attack -- Distributed Denial of Service -- where many IPs are used, and when you need to continue serving some machines that are inside the same firewall as machines involved in the attack.

Often machines used in DDOS are zombie machines that have been taken over. When a DDOS against a large target starts, per-IP throttling may ban all machines from the same fire-walled LAN. This can cause really bad PR for large companies when machines at, for example, the New York Times are infected and used in the DDOS, and Times' reporters check to see if the company's website is down, and are blocked leading them to report that the attack was much more successful than it actually was.

To continue providing service in the face of a DDOS, you really need to block requests based on common elements of the request itself, not just IP. security.se may be the best forum for specific advice on how to do that.

Community
  • 1
  • 1
Mike Samuel
  • 118,113
  • 30
  • 216
  • 245
  • Actually, the server is origin specific, that is, any request coming from a domain other than the one that is already specified in the server, will be outrightly denied. If this would of mean anything! – spaceman12 Feb 07 '13 at 16:39
  • @spaceman12, Could you expand on what you mean by "origin specific"? Do you mean that the server already rejects requests not from a group whitelisted IPs and you're worried about subversion of or malfunction by those machines? – Mike Samuel Feb 07 '13 at 16:44
  • by 'origin specific', what i actually mean is since this is a browser based web app, the server is written with the intends of serving only to the request that comes from a particular domain (origin in header). For example, I may choose to serve only to those request coming from stackoverflow.com and ignores any others. – spaceman12 Feb 07 '13 at 16:59
  • 1
    @spaceman12, Unfortunately, DOS attacks, unlike XSRF, don't need to originate from real browsers so any headers that don't contain closely-held and unguessable nonces can be spoofed. – Mike Samuel Feb 07 '13 at 18:02
  • A year late. But couldn't you just let the client know that he has been suspected of being part of a Botnet? And then give him the tools to remove it? Then, after a certain interval, he would be able to log on again. And hopefully clean all computers connected to that IP – Schoening Feb 15 '14 at 12:42
  • @Schoening, Machines tend not to have dedicated email addresses or phone numbers that are reachable independently from the compromised hardware, so you can only do that if you have a way of sending a message to the human who is supposed to own a particular machine. – Mike Samuel Feb 15 '14 at 13:05
  • Thank you for the fast reply @MikeSamuel But what I meant is something like this: If IP Blocked: Send
    Your IP was part of a Ddos attack, please check all machines using the hardware for BotNet
    – Schoening Feb 15 '14 at 13:23
  • @Schoening, That's a fine idea. It has other practical benefits, like letting non-techies like NYTimes reporters whose machines are all infected with malware know that machines on their local network are part of the DDOS, before they write angry articles about your site being down. – Mike Samuel Feb 15 '14 at 15:21
  • Yay :p ! So does this effectively prevent Ddos then? No IP acess, No power right? – Schoening Feb 15 '14 at 17:09
  • @Schoening, it doesn't prevent all DDOS. If the attacker is trying to clog a network bottleneck between you and your clients instead of just overloading your servers, then affected parties might just see a high rate of dropped packets and never get your explanation. In that case though, dropping requests doesn't help. – Mike Samuel Feb 15 '14 at 17:47
  • Thank for for all the information. I am sure it can become handy for me at some point :) – Schoening Feb 15 '14 at 18:04