Protect yourself against Dos attacks

webserver protection denial-of-service
KdgDev picture KdgDev · Jun 22, 2009 · Viewed 8.7k times · Source

This might be something more suited for Serverfault, but many webdevelopers who come only here will probably benefit from possible answers to this question.

The question is: How do you effectively protect yourself against Denial Of Service attacks against your webserver?

I asked myself this after reading this article

For those not familiar, here's what I remember about it: a DoS attack will attempt to occupy all your connections by repeatedly sending bogus headers to your servers.

By doing so, your server will reach the limit of possible simultanious connections and as a result, normal users can't acces your site anymore.

Wikipedia provides some more info: http://en.wikipedia.org/wiki/Denial_of_service

Answer

Doug McClean picture Doug McClean · Jun 22, 2009

There's no panacea, but you can make DoS attacks more difficult by doing some of the following:

  • Don't (or limit your willingness to) do expensive operations on behalf of unauthenticated clients
  • Throttle authentication attempts
  • Throttle operations performed on behalf of each authenticated client, and place their account on a temporary lockout if they do too many things in too short a time
  • Have a similar global throttle for all unauthenticated clients, and be prepared to lower this setting if you detect an attack in progress
  • Have a flag you can use during an attack to disable all unauthenticated access
  • Don't store things on behalf of unauthenticated clients, and use a quota to limit the storage for each authenticated client
  • In general, reject all malformed, unreasonably complicated, or unreasonably huge requests as quickly as possible (and log them to aid in detection of an attack)
  • Don't use a pure LRU cache if requests from unauthenticated clients can result in evicting things from that cache, because you will be subject to cache poisoning attacks (where a malicious client asks for lots of different infrequently used things, causing you to evict all the useful things from your cache and need to do much more work to serve your legitimate clients)

Remember, it's important to outright reject throttled requests (for example, with an HTTP 503: Service Unavailable response or a similar response appropriate to whatever protocol you are using) rather than queueing throttled requests. If you queue them, the queue will just eat up all your memory and the DoS attack will be at least as effective as it would have been without the throttling.

Some more specific advice for the HTTP servers:

  • Make sure your web server is configured to reject POST messages without an accompanying Content-Length header, and to reject requests (and throttle the offending client) which exceed the stated Content-Length, and to reject requests with a Content-Length which is unreasonably long for the service that the POST (or PUT) is aimed at

Related questions

Using node.js as a simple web server

I want to run a very simple HTTP server. Every GET request to example.com should get index.html served to it but as a regular HTML page (i.e., same experience as when you read normal web pages). Using …

Read More
What is the difference between application server and web server?

What is the difference between application server and web server?

Read More
ssl_error_rx_record_too_long and Apache SSL

I've got a customer trying to access one of my sites, and they keep getting this error > ssl_error_rx_record_too_long They're getting this error on all browsers, all platforms. I can't reproduce the problem at all. …

Read More