9

What is the best methods for protecting a site form DoS attack. Any idea how popular sites/services handles this issue?.

what are the tools/services in application, operating system, networking, hosting levels?.

it would be nice if some one could share their real experience they deal with.

Thanks

Mahes
  • 3,938
  • 1
  • 34
  • 39

4 Answers4

3

I've never had to deal with this yet, but a common method involves writing a small piece of code to track IP addresses that are making a large amount of requests in a short amount of time and denying them before processing actually happens.

Many hosting services provide this along with hosting, check with them to see if they do.

fmt
  • 993
  • 9
  • 18
  • 2
    just wondering, if the attacker spoofs ip address then this technique will not be of much help...i just heard about ip spoofing can be done but not sure how practical it will be – Mahes Nov 24 '10 at 03:45
  • 1
    If your attacker is sending malicious packets at such a low level that he/she lies on the packet routing information, then the only method that I can think of is to check for malformed TCP packets or HTTP requests, as attackers will often skip some of the details to save speed. Of course this is a gigantic pain, so its usefulness depends on how much you fear a DDoS attack. – fmt Nov 24 '10 at 14:37
3

Sure you mean DoS not injections? There's not much you can do on a web programming end to prevent them as it's more about tying up connection ports and blocking them at the physical layer than at the application layer (web programming).

In regards to how most companies prevent them is a lot of companies use load balancing and server farms to displace the bandwidth coming in. Also, a lot of smart routers are monitoring activity from IPs and IP ranges to make sure there aren't too many inquiries coming in (and if so performs a block before it hits the server).

Biggest intentional DoS I can think of is woot.com during a woot-off though. I suggest trying wikipedia ( http://en.wikipedia.org/wiki/Denial-of-service_attack#Prevention_and_response ) and see what they have to say about prevention methods.

Brad Christie
  • 100,477
  • 16
  • 156
  • 200
3

I implemented this once in the application layer. We recorded all requests served to our server farms through a service which each machine in the farm could send request information to. We then processed these requests, aggregated by IP address, and automatically flagged any IP address exceeding a threshold of a certain number of requests per time interval. Any request coming from a flagged IP got a standard Captcha response, if they failed too many times, they were banned forever (dangerous if you get a DoS from behind a proxy.) If they proved they were a human the statistics related to their IP were "zeroed."

Macy Abbey
  • 3,877
  • 1
  • 20
  • 30
  • 2
    There are also techniques you can use to deny requests which reveal themselves as automated services. The User-Agent header is often indicative of this. Checkout this post, it has a lot of good information. http://success.grownupgeek.com/index.php/2009/08/22/how-block-proxies/ – Macy Abbey Nov 24 '10 at 00:25
1

Well, this is an old one, but people looking to do this might want to look at fail2ban.

http://go2linux.garron.me/linux/2011/05/fail2ban-protect-web-server-http-dos-attack-1084.html

That's more of a serverfault sort of answer, as opposed to building this into your application, but I think it's the sort of problem which is most likely better tackled that way. If the logic for what you want to block is complex, consider having your application just log enough info to base the banning policy action on, rather than trying to put the policy into effect.

Consider also that depending on the web server you use, you might be vulnerable to things like a slow loris attack, and there's nothing you can do about that at a web application level.

mc0e
  • 2,699
  • 28
  • 25