I am working on a java application that exposes webservices for a flash client. Any idea on how to prevent DOS/DDOS attacks ? I cannot use mechanism unfriendly for the end user such as captcha. So far I have found mod_evasive, an apache module which looks quite promising... Any suggestions, best practices, tools I might use ? Thanks in advance
For high-end - go with hardware solutions - Netscaler, Webavalanche and others. These are skilled at picking off shaped packet attacks as well as bot network attacks.
Trouble with software solutions is often that the DDOS looks like legit traffic such that you've already run a lot of code (and by virtue used expensive resources) before deciding to toss the request out. Webservices compound this by requiring an expensive XML parsing process to determine legitimacy of requests.
The challenge with this question is that it asks for a solution to a fundamentally unsolveable problem. There's no tool or practice you can adopt that is going to protect you from a moderately competant attacker who is determined to take down your service.
mod_evasive is about as good a solution as you're going to get to this problem in the short term. It implements "best practices" throttling of requests, and will prevent your system from being taken down by a 5 line Perl script.
In the longer term, when your application becomes successful, you'll inevitably wind up deploying a load balancer in front of it. The mainstream commercial load balancers (like F5's Big-IP) all implement "DOS protection" throttling, so you can turn that feature on when you upgrade. But don't upgrade just to get that feature.
The problem with solving modern DDOS attacks is that they are launched from numerous unrelated unpoints (often, from huge botnets). Web application firewalls like Citrix/NetScaler, Imperva, and F5 will do a decent job with the canned attacks, but skilled analysts (preferably from your own team) are going to be needed to stop "real" attackers who know your name; you do that job by analyzing the attack traffic, finding characteristics in it particular to the attacker, and filtering it.
I think you're on the right track with free "plug-and-play" defenses for this, especially with a new application.
I stumbled upon a cheap and easy way around some of the larger DDOS attacks that render most IP banning scripts useless, For this you'll need more then 1 static IP adress for your server.
Go into apache configuration in your WHM control panel, go down to the option that is titles\d "Reserved IPs editor", Reserve the IP being DDOS'ed, you'll then have to change your sites IP address in WHM and update your domain name to forward to the new IP.
This isn't something that will make your server DDOS protected, it's simply a way to stall a DDOS attack that is happening to your server quickly, effectively and most importantly cheaply.
We're protecting our webservers with WANGuard Platform It's a software based solution installed on a dedicated Linux server.