Geek Answers Handbook

DDOS attacks - trusted web services

Could you list some strategies or even those approaches that you have already used to prevent / protect / minimize DDOS attacks on Restful Web Services?

Thanks.

+6
source share
5 answers

Put an HTTP cache, such as Squid or Varnish, in front of your API and place a small maximum age header on any resource that bothers you. Even with a maximum age of 1 second, your API will not hit more than once per second for this resource.

+8
source

Enabling web caching can reduce a DoS attack on a GET request. But another common type of DoS attack is sending huge amounts of data to the HTTP POST method. To reduce this type of DoS, it is considered best practice to set the PostTimeoutSecs, MaxPostTimeSecs, MaxPostSize parameters on your web server or application server. Parameter names differ for different servers.

Considering that adding a web cache and limiting the request for a POST request are very rudimentary ways to prevent a DoS attack. To more effectively counteract a DoS attack, you can consider solutions such as a web application firewall. Go to the OWASP website to view WAF products on the market, including some open source options.

+5
source

If you are not a large deployment with a large number of active users and revenues, I do not think that you can justify everything except the basic measures.

Instead, make sure that you are sure to know in a timely manner that your system is under attack (by monitoring the processor / memory / requests per second).

If you think you are under attack, ask someone else for the hosts on your servers.

I would like to hear a different opinion, but I think that any approach based on your kind is almost always doomed to failure. Almost regardless of what you do, the link provided by the upstream can be saturated, that is, sometimes the only person who can do something is upstream from your servers, not you.

+4
source

Let CDN be the firewall surrounding your growing set of REST APIs. Here is a usage example.

+2
source

DDoS attacks the weakness of the application, which is formed as a result of code anomalies, such as memory leaks, longer session times, boundary conditions that take high processor cycles. Session times may not be valid here for RESTFul Web Services, as they are believed to have stateless answers. However, the following steps may help.

Development / coding perspective

  • Application leakage application application profiles, especially in scenarios with a negative scenario, for example, exceptions. The longer the resources are in memory, the greater the impact. Free up resources as early as possible.
  • Respond to negative scenarios when creating the request itself, for example. Validation of attributes or payloads must occur long before we execute any business database call logic. In spring based java application, the interceptor will be apt.
  • Implementing structured logs for query auditing, which can help analyze patterns in the event of any attacks.
  • For post / put / delete operations that can only be accessed by designated clients (web / mobile apps, etc.), implement captcha (for example, Google Iam is not a robot) and check the captcha token at the REST API level before request processing.

Operation perspective

  • Configure monitoring and alerts for CPU, Memory, Network Traffic, internal application containers such as heap usage, etc.

Infrastructure perspective

  • Add a web application firewall that can identify fake traffic coming from bots and apply some level of request speed control
  • Configure caching, if possible, to receive requests using CDNs for objects that may not change frequently.
  • Setting up automatic scaling of the infrastructure with respect to network traffic, central processor, memory, etc., so that a burst of traffic could not bring down any application nodes. Choosing a cloud-based infrastructure will help.
0
source

More articles:


All Articles