Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Blocking IP addresses, preventing DoS attacks

So this is more of a general question on the best practice of preventing DoS attacks, I'm just trying to get a grasp on how most people handle malicious requests from the same IP address which is the problem we are currently having.

I figure it's better to block the IP of a truly malicious IP as high up as possible as to prevent using more resources, especially when it comes to loading you application.

Thoughts?

like image 902
JP Silvashy Avatar asked Aug 27 '10 17:08

JP Silvashy


People also ask

How can DoS attacks be prevented?

For this, it is essential to have multi-level protection strategies that use intrusion prevention and threat management systems. These systems can use anti-spam, content filtering, VPN, firewalls, load balancing, and security layers to spot and block attacks before they overwhelm your network.

Which attacks can be stopped by blocking IP?

Enterprises can prevent the vast majority of DDoS attacks by blocking IP address spoofing and controlling inbound traffic. You only need to consider that more than 4.4 million distributed denial-of-service (DDoS) attacks occurred in the second half of 2021, to know with certainty that such attacks are always happening.

Can IPS block DDoS attack?

Almost every modern firewall and intrusion prevention system (IPS) claims some level of DDoS defense. Some Unified Threat Management (UTM) devices or next-generation firewalls (NGFWs) offer anti-DDoS services and can mitigate many DDoS attacks.


1 Answers

You can prevent DoS attacks from occuring in various ways.

  • Limiting the number of queries/second from a particular ip address. Once the limit is reached, you can send a redirect to a cached error page to limit any further processing. You might also be able to get these IP address firewalled so that you don't have to process their requests at all. Limiting requests per IP address wont work very well though if the attacker forges the source IP address in the packets they are sending.
  • I'd also be trying to build some smarts into your application to help dealing with a DoS. Take Google maps as an example. Each individual site has to have it's own API key which I believe is limited to 50,000 requests per day. If your application worked in a similar way, then you'd want to validate this key very early on in the request so that you don't use too many resources for the request. Once the 50,000 requests for that key are used, you can send appropriate proxy headers such that all future requests (for the next hour for example) for that key are handled by the reverse proxy. It's not fool proof though. If each request has a different url, then the reverse proxy will have to pass through the request to the backend server. You would also run into a problem if the DDOS used lots of different API keys.
  • Depending on the target audience for your application, you might be able to black list large IP ranges that contribute significantly to the DDOS. For example, if your web service is for Australian's only, but you were getting a lot of DDOS requests from some networks in Korea, then you could firewall the Korean networks. If you want your service to be accessible by anyone, then you're out of luck on this one.
  • Another approach to dealing with a DDOS is to close up shop and wait it out. If you've got your own IP address or IP range then you, your hosting company or the data centre can null route the traffic so that it goes into a block hole.

Referenced from here. There are other solutions too on same thread.

like image 163
YoK Avatar answered Oct 16 '22 06:10

YoK