views:

34

answers:

1

So this is more of a general question on the best practice of preventing DoS attacks, I'm just trying to get a grasp on how most people handle malicious requests from the same IP address which is the problem we are currently having.

I figure it's better to block the IP of a truly malicious IP as high up as possible as to prevent using more resources, especially when it comes to loading you application.

Thoughts?

+1  A: 

You can prevent DoS attacks from occuring in various ways.

  • Limiting the number of queries/second from a particular ip address. Once the limit is reached, you can send a redirect to a cached error page to limit any further processing. You might also be able to get these IP address firewalled so that you don't have to process their requests at all. Limiting requests per IP address wont work very well though if the attacker forges the source IP address in the packets they are sending.
  • I'd also be trying to build some smarts into your application to help dealing with a DoS. Take Google maps as an example. Each individual site has to have it's own API key which I believe is limited to 50,000 requests per day. If your application worked in a similar way, then you'd want to validate this key very early on in the request so that you don't use too many resources for the request. Once the 50,000 requests for that key are used, you can send appropriate proxy headers such that all future requests (for the next hour for example) for that key are handled by the reverse proxy. It's not fool proof though. If each request has a different url, then the reverse proxy will have to pass through the request to the backend server. You would also run into a problem if the DDOS used lots of different API keys.
  • Depending on the target audience for your application, you might be able to black list large IP ranges that contribute significantly to the DDOS. For example, if your web service is for Australian's only, but you were getting a lot of DDOS requests from some networks in Korea, then you could firewall the Korean networks. If you want your service to be accessible by anyone, then you're out of luck on this one.
  • Another approach to dealing with a DDOS is to close up shop and wait it out. If you've got your own IP address or IP range then you, your hosting company or the data centre can null route the traffic so that it goes into a block hole.

Referenced from here. There are other solutions too on same thread.

YoK
Hey, Awesome tips, I like the idea of actually using a firewall... I was always under the impression that firewalls where for corporate email servers or something... haha. I suppose they do have a purpose. Thanks!
Joseph Silvashy