This might be something more suited for Serverfault, but many webdevelopers who come only here will probably benefit from possible answers to this question.
The question is: How do you effectively protect yourself against Denial Of Service attacks against your webserver?
I asked myself this after reading this article
For those not familiar, here's what I remember about it: a DoS attack will attempt to occupy all your connections by repeatedly sending bogus headers to your servers.
By doing so, your server will reach the limit of possible simultanious connections and as a result, normal users can't acces your site anymore.
Wikipedia provides some more info: http://en.wikipedia.org/wiki/Denial_of_service
You can rely on the following types of network security to protect your business from DDoS attempts: Firewalls and intrusion detection systems that act as traffic-scanning barriers between networks. Anti-virus and anti-malware software that detects and removes viruses and malware.
ISPs can detect and filter out potential DDoS packets before they reach your border, preventing such attacks from consuming all of your available bandwidth. Unfortunately, while ISP partnerships are effective, there is no silver bullet for guarding against DDoS attacks.
There are some simple steps every business can take to ensure a basic level of security against DDoS threats. These include best practices such as using complex passwords, mandating password resets every couple of months and avoiding storing or writing down passwords in notes.
There's no panacea, but you can make DoS attacks more difficult by doing some of the following:
Remember, it's important to outright reject throttled requests (for example, with an HTTP 503: Service Unavailable response or a similar response appropriate to whatever protocol you are using) rather than queueing throttled requests. If you queue them, the queue will just eat up all your memory and the DoS attack will be at least as effective as it would have been without the throttling.
Some more specific advice for the HTTP servers:
POST
messages without an accompanying Content-Length
header, and to reject requests (and throttle the offending client) which exceed the stated Content-Length
, and to reject requests with a Content-Length
which is unreasonably long for the service that the POST
(or PUT
) is aimed atFor this specific attack (as long as the request is GET) based a load balancer or a WAF which only bases full requests to the webserver would work.
The problems start when instead of GET POST is used (which is easy) because you can't know if this is a malicious POST or just some really slow upload from an user.
From DoS per se you can't really protect your webapp because of a simple fact. Your resources are limited while the attacker potentially has unlimited time and resources to perform the DoS. And most of the time it's cheap for the attacker to perform the required steps. e.g. this attack mentioned above a few 100 slow running connections -> no problem
Asynchronous servers, for one, are more or less immune to this particular form of attack. I for instance serve my Django apps using an Nginx reverse proxy, and the attack didn't seem to affect its operation whatsoever. Another popular asynchronous server is lighttpd.
Mind you, this attack is dangerous because it can be performed even by a single machine with a slow connection. However, common DDoS attacks pit your server against an army of machines, and there's little you can do to protect yourself from them.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With