Blocking IP addresses, preventing DoS attacks

denial-of-service
JP Silvashy picture JP Silvashy · Aug 27, 2010 · Viewed 7.3k times · Source

So this is more of a general question on the best practice of preventing DoS attacks, I'm just trying to get a grasp on how most people handle malicious requests from the same IP address which is the problem we are currently having.

I figure it's better to block the IP of a truly malicious IP as high up as possible as to prevent using more resources, especially when it comes to loading you application.

Thoughts?

Answer

YoK picture YoK · Aug 27, 2010

You can prevent DoS attacks from occuring in various ways.

  • Limiting the number of queries/second from a particular ip address. Once the limit is reached, you can send a redirect to a cached error page to limit any further processing. You might also be able to get these IP address firewalled so that you don't have to process their requests at all. Limiting requests per IP address wont work very well though if the attacker forges the source IP address in the packets they are sending.
  • I'd also be trying to build some smarts into your application to help dealing with a DoS. Take Google maps as an example. Each individual site has to have it's own API key which I believe is limited to 50,000 requests per day. If your application worked in a similar way, then you'd want to validate this key very early on in the request so that you don't use too many resources for the request. Once the 50,000 requests for that key are used, you can send appropriate proxy headers such that all future requests (for the next hour for example) for that key are handled by the reverse proxy. It's not fool proof though. If each request has a different url, then the reverse proxy will have to pass through the request to the backend server. You would also run into a problem if the DDOS used lots of different API keys.
  • Depending on the target audience for your application, you might be able to black list large IP ranges that contribute significantly to the DDOS. For example, if your web service is for Australian's only, but you were getting a lot of DDOS requests from some networks in Korea, then you could firewall the Korean networks. If you want your service to be accessible by anyone, then you're out of luck on this one.
  • Another approach to dealing with a DDOS is to close up shop and wait it out. If you've got your own IP address or IP range then you, your hosting company or the data centre can null route the traffic so that it goes into a block hole.

Referenced from here. There are other solutions too on same thread.

Related questions

How to enable DDoS protection?

DDoS (Distributed Denial of Service Attacks) are generally blocked on a server level right? Is there a way to block it on a PHP level, or at least reduce it? If not, what is the fastest and most common way …

Read More
Most Robust way of reading a file or stream using Java (to prevent DoS attacks)

Currently I have the below code for reading an InputStream. I am storing the whole file into a StringBuilder variable and processing this string afterwards. public static String getContentFromInputStream(InputStream inputStream) // public static String getContentFromInputStream(InputStream inputStream, // int maxLineSize, int …

Read More
Security implications of adding all domains to CORS (Access-Control-Allow-Origin: *)

It is said that instead of adding all domains to CORS, one should only add a set of domains. Yet it is sometimes not trivial to add a set of domains. E.g. if I want to publicly expose an …

Read More