DDOS attack: defending with Thread.Sleep()?

Question

If I introduce a Thread.Sleep(x) delay while rendering my HTTP response, where x would change depending on the rate of requests from a given IP: from being zero while request rate is low, and gradually increasing if requests are following one after another.

Is this a viable solution to protect against a DDOS?

What are the weak points?

Answer 1

No, it doesn't protect against DDOS attacks. It protects the CPU from being overloaded, but it still occupies the thread while it's sleeping, so an attacker can easily occupy all of the assigned threads in the web server, rendering it unresponsive. It actually makes it easier to perform a DDOS attack.

A Sleep can be used to protect against brute fource attacks by reducing the number of tries that can be done per second. (The drawback is of course that it makes it more sensetive to DDOS attacks.)

Answer 2

It definitely doesn't prevent a DDOS because networking equipment in front of your application may still be overwhelmed.

Additionally the distributed nature of a "distributed denial of service" means that you'll be getting excessive traffic from lots of different IPs, not one.

But regardless, what you're doing in your app doesn't get around whatever is in front your app from being overwhelmed.

Answer 3

A thread sleep is useful only to help guard against cryptography attacks. You can use them to guard against:

• Attackers using execution time of different challenge strings to determine the logic in your implementation. If you ensure that all responses take the same time, then they can't use that information to determine how your algorithm works
• Increasing execution time upon repeated failed password attempts to avoid a brute force attack

Besides these uses, a thread sleep doesn't have much application in security. They tie up resources (connections or session state), so are worthless for guarding against a DoS attack.