Best practices for detecting DOS (denial of service) attacks? [closed]

Question

I am looking for best practices for detecting and preventing DOS in the service implementation (not external network monitoring). The service handles queries for user, group and attribute information.

What is your favorite source of information on dealing with DOS?

Answer 1

Whatever you do against DoS-Attacks, think if what you do may actually increase the the load required to handle malicious or unwanted requests!

If you are using Linux then you should read this article:
Rule-based DoS attacks prevention shell script (from Linux Gazette) It has the following topics:

• How to detect DoS attacks from /var/log/secure file
• How to reduce redundant detected IPs from the temporary file
• How to activate /sbin/iptables
• How to install the proposed shell script

Applying this without properly restricting the number of blocked IPs in iptables may intro a DoS-Vulnerability by increasing the requiered resources to handel unsolicited requests. To reduces that risk use ipset to match IP-Addresses in iptables.

Also, read about ssh dictionary attack prevention using iptables. (enabling iptables with stateful firewalling as suggested here does not protect against most DoS-Attacks against but may actually ease DoS-Attacks that pollute your RAM with useless state info.)

New to Linux? read the Windows-to-Linux roadmap: Part 5. Linux logging of IBM.

Good Luck!

Answer 2

This is a technique I found very useful..

Prevent Denial of Service (DOS) attacks in your web application