Is DoS attack developers or system administrators issue [closed]

Question

As a Java developer I'm going to participate in a web project. So I'm trying to get informed on different aspects of web security.

Now I have came to the DoS attack subject and I'm trying to figure it out what I can/should do as a Java developer. Or may be it would be the system administrator job.

What comes to my mind at first is to implement the functionalities in a way so a single request can not take too much time and resources. For example to put some limits on the amount of the processed data. But I'm not sure if this will be applicable in all cases.

Should I take any care for DoS due to many requests?

Any advices will be appreciated. Many thanks in advance!

Answer 1

Firstly, there's nothing either of you can do to prevent a DoS attack.

All you can do is make your code sensible (Developer), and your architecture robust (SysAdmin). It is a joint effort.

Developers should try to minimise resource usage as part of their job anyway - not just for DoS attacks.

Developers should use caches to protect the database. If every request needs to consult a list of Countries, then requesting that list from database every single time isn't good practice anyway.

Developers should make sure that bad requests fail as quickly as possible. eg. don't consult the Countries list at all, until you've verified their account number actually exists.

Developers should adopt approaches like REST: treating each request individually rather than maintaining Sessions in memory. This could stop your memory usage from rocketing during an attack. You don't want memory problems as well as your network being flooded!

Developers should make their application scalable. Again, REST helps here as you aren't tied to having things stored in memory. If you can run ten instances of your application at once, each handling a subset of the requests, you will last much longer in a DoS attack (and probably give your users a smoother website experience anyway).

SysAdmins should provide the load-balancing, fail-over, etc. frameworks to manage this scalability. They will also manage hardware for the instances. You could also have the option to add more instances automatically on demand, meaning that automatic server creation and deployment become important. Using VMs rather than physical boxes can help with this.

SysAdmins can set up firewalls and proxies so that, when an attack does happen, they can keep your REAL traffic coming through and stop the attack traffic. They can filter traffic by suspected IP range, block 'suspicious-looking' requests, throttle traffic levels to a gentle flow, etc.

Overall, you can look at DoS as just "high amounts of traffic". If your application code and architecture can't cope with increasing traffic from "regular users" then you are doomed anyway, regardless of a DoS attack. When Facebook was threatened with DoS, I remember someone pointing out that "Everyday is a DDoS attack for Facebook...". But it is developed and structured in such a way that it copes.