Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to stop hack/DOS attack on web API

My website has been experiencing a denial of service/hack attack for the last week. The attack is hitting our web API with randomly generated invalid API keys in a loop.

I'm not sure if they are trying to guess a key (mathematically impossible as 64bit keys) or trying to DOS attack the server. The attack is distributed, so I cannot ban all of the IP address, as it occurs from hundreds of clients.

My guess is that it is an Android app by the IPs, so someone has some malware in an Android app, and use all the installs to attack my server.

Server is Tomcat/Java, currently the web API just responds 400 to invalid keys, and caches IPs that have made several invalid key attempts, but still needs to do some processing for each bad request.

Any suggestions how to stop the attack? Is there any way to identify the Android app making the request from the HTTP header?

like image 938
James Avatar asked Sep 15 '15 00:09

James


People also ask

How can DoS attacks be stopped?

Protect Your Network PerimeterMore aggressively time out half-open connections whenever possible. Drop malformed and spoofed packages as early as possible. Rate limit your router to prevent volumetric DDoS attacks. Set lower thresholds for SYN, ICMP, and UDP flood.

What is a DoS attack and how can it be prevented?

A distributed denial-of-service (DDoS) is a type of DoS attack where the traffic used to overwhelm the target is coming from many distributed sources. This method means the attack can't be stopped just by blocking the source of traffic. Botnets are often employed for DDoS attacks.

Can WAF prevent DoS?

So in summary, on-premise WAF Solutions can only protect against connection based DDOS attacked targeting the protected application, which is not a good enough protection approach against DDOS attacks. If you have a cloud-based solution WAF, you usually get an add-on feature for DDOS Protection.


2 Answers

Preventing Brute-Force Attacks:

There is a vast array of tools and strategies available to help you do this, and which to use depends entirely on your server implementation and requirements.

Without using a firewall, IDS, or other network-control tools, you can't really stop a DDOS from, well, denying service to your application. You can, however, modify your application to make a brute-force attack significantly more difficult.

The standard way to do this is by implementing a lockout or a progressive delay. A lockout prevents an IP from making a login request for X minutes if they fail to log in N times. A progressive delay adds a longer and longer delay to processing each bad login request.

If you're using Tomcat's authentication system (i.e. you have a <login-constraint> element in your webapp configuration), you should use the Tomcat LockoutRealm, which lets you easily put IP addresses on a lockout once they make a number of bad requests.

If you are not using Tomcat's authentication system, then you would have to post more information about what you are using to get more specific information.

Finally, you could simply increase the length of your API keys. 64 bits seems like an insurmountably huge keyspace to search, but its underweight by modern standards. A number of factors could contribute to making it far less secure than you expect:

  • A botnet (or other large network) could make tens of thousands of attempts per second, if you have no protections in place.
  • Depending on how you're generating your keys and gathering entropy, your de facto keyspace might be much smaller.
  • As your number of valid keys increases, the number of keys that need to be attempted to find a valid one (at least in theory) drops sharply.

Upping the API key length to 128 (or 256, or 512) won't cost much, and you'll tremendously increase the search space (and thus, the difficulty) of any brute force attack.

Mitigating DDOS attacks:

To mitigate DDOS attacks, however, you need to do a bit more legwork. DDOS attacks are hard to defend against, and its especially hard if you don't control the network your server is on.

That being said, there are a few server-side things you can do:

  • Installing and configuring a web-application firewall, like mod_security, to reject incoming connections that violate rules that you define.
  • Setting up an IDS system, like Snort, to detect when a DDOS attack is occurring and take the first steps to mitigate it
  • See @Martin Muller's post for another excellent option, fail2ban
  • Creating your own Tomcat Valve, as described here, to reject incoming requests by their User-Agents (or any other criterion) as a last line of defense.

In the end, however, there is only so much you can do to stop a DDOS attack for free. A server has only so much memory, so many CPU cycles, and so much network bandwidth; with enough incoming connections, even the most efficient firewall won't keep you from going down. You'll be better able to weather DDOS attacks if you invest in a higher-bandwidth internet connection and more servers, or if you deploy your application on Amazon Web Services, or if you bought one of many consumer and enterprise DDOS mitigation products (@SDude has some excellent recommendations in his post). None of those options are cheap, quick, or easy, but they're what's available.

Bottom Line:

If you rely on your application code to mitigate a DDOS, you've already lost

like image 60
F. Stephen Q Avatar answered Oct 02 '22 08:10

F. Stephen Q


If it's big enough you just can't stop it alone. You can do all the optimisation you want at the app level, but you'll still go down. In addition to app-level security for prevention (as in FSQ's answer) you should use proven solutions leaving the heavy lifting to professionals (if you are serious about your business). My advise is:

  1. Sign-up for CloudFlare or Incapsula. This is day to day for them.
  2. Consider using AWS API gateway as the second stage for your API requests. You'll enjoy filtering, throttling, security,auto-scaling and HA for your API at Amazon scale. Then you can forward the valid requests to your machines (in or outside amazon)

Internet --> CloudFlare/Incapsula --> AWS API Gateway --> Your API Server

0,02

PS: I think this question belongs to Sec

like image 42
sdude Avatar answered Oct 02 '22 07:10

sdude