tags:

views:

34

answers:

1
Q: 

Blocking IP addresses, preventing DoS attacks

So this is more of a general question on the best practice of preventing DoS attacks, I'm just trying to get a grasp on how most people handle malicious requests from the same IP address which is the problem we are currently having.

I figure it's better to block the IP of a truly malicious IP as high up as possible as to prevent using more resources, especially when it comes to loading you application.

Thoughts?

+1  A: 

You can prevent DoS attacks from occuring in various ways.

  • Limiting the number of queries/second from a particular ip address. Once the limit is reached, you can send a redirect to a cached error page to limit any further processing. You might also be able to get these IP address firewalled so that you don't have to process their requests at all. Limiting requests per IP address wont work very well though if the attacker forges the source IP address in the packets they are sending.
  • I'd also be trying to build some smarts into your application to help dealing with a DoS. Take Google maps as an example. Each individual site has to have it's own API key which I believe is limited to 50,000 requests per day. If your application worked in a similar way, then you'd want to validate this key very early on in the request so that you don't use too many resources for the request. Once the 50,000 requests for that key are used, you can send appropriate proxy headers such that all future requests (for the next hour for example) for that key are handled by the reverse proxy. It's not fool proof though. If each request has a different url, then the reverse proxy will have to pass through the request to the backend server. You would also run into a problem if the DDOS used lots of different API keys.
  • Depending on the target audience for your application, you might be able to black list large IP ranges that contribute significantly to the DDOS. For example, if your web service is for Australian's only, but you were getting a lot of DDOS requests from some networks in Korea, then you could firewall the Korean networks. If you want your service to be accessible by anyone, then you're out of luck on this one.
  • Another approach to dealing with a DDOS is to close up shop and wait it out. If you've got your own IP address or IP range then you, your hosting company or the data centre can null route the traffic so that it goes into a block hole.

Referenced from here. There are other solutions too on same thread.

YoK  2010-08-27 18:27:27
Hey, Awesome tips, I like the idea of actually using a firewall... I was always under the impression that firewalls where for corporate email servers or something... haha. I suppose they do have a purpose. Thanks!
Joseph Silvashy  2010-08-27 18:36:41

related questions

Centos or Debian as a server OS ?
Where can I find a FTP Server with an API?
Technical issues when switching to an unmanaged Virtual Private Server (VPS) hosting provider?
Should I use a dedicated network channel between the database and the application server?
Do I need to leave gaps in a standard server rack?
Monitoring CPU Core Usage on Terminal Servers
Which hardware to buy for a new Linux server system?
Website Hardware Scaling
Ajax polling.
I ALMOST understand how email works, but I'm missing something.
How do you minimize the number of threads used in a tcp server application?
Perfmon File Analysis Tools
Cleanest & Fastest server setup for Django
Is there some way to PUSH data from web server to browser?
How do I secure my new web server (Server 2008)?
Subversion Management Tools
What kind of servers did you virtualize lately?
Closet server versus Colo?
Personal Linux web server
Error ADMA5026E for WebSphere Application Server Network Deployment
What means the error SECJ0222E in WebSphere Application Server 5.1
What is called a Node in a WebSpere Network Deployment
Can someone give me a working example of a build.xml for an EAR that deploys in WebSphere 6
Asynchronous multi-direction server-client communication over the same open socket?
Best way to access Exchange using PHP?