Our customer is a little bit paranoic on security and one of their requirement is to have DoS (Denial of Service) protection at web application level. They don`t want that somebody could flood them with HTTP requests.
I`ve done some GOOGLEing and found nothing about such solution. Has anybody heard anything about this issue or maybe heard of some open source project on this. Maybe some other comments?
If there will be none, then I guess I`ll have to do it on my own. My vision is an service that receives HTTP requests and process them. Get IP from it and counts how many requests have been done in certain period of time.
Any comments,ideas? :)
Most application servers have configurations you can set at the server side. (i.e. WebLogic has settings for MAX POST SIZE and POST TIME OUT, HTTP and HTTPS Duration)
Why write your own app when the server can do that for you? Also, that still doesn't prevent DoS attacks from happening. It only hardens the server.
Besides being flooded with plain old HTTP requests, it may also be possible to perform 'intelligent' denial of service attacks that target specific application bottlenecks or backend processes.
For example, if the application permits self registration then it could be possible for an attacker to write an automated script that submits thousands of fictitious registration requests. With thousands of fake users it would then be easier to target specific transactions such as CC processing or database access that are resource intensive.
This could be a more effective attack than simply doing a request fo /index.html.
For a paper on this topic see: http://www.corsaire.com/white-papers/040405-application-level-dos-attacks.pdf
There is a possibility that some one use a program that generates IP address in the request header and send requests to the login page. In that case non of the application servers can prevent it. In this case use some picture in your first pages that contains text with some effects on. For the best power on image handling you can use JAI(Java Advance Imaging), but AWT is much,much more easier.
The key thing to realize in this situation is that there is no way to guarantee that a DoS attack will not be successful on any given system. The reason for this is that today's applications and their associated architectures simply present too broad of an area to attack. The best that one can do is to secure the server in the best ways available (configuration, firewall, routers, network monitoring, intrusion detection, etc) while at the same time writing security sensitive code with, if nothing else, extensive error checking of inputs and user validation against all available resources. With all this in mind, over use of these technologies can adversely affect network and system performance so there are tradeoffs. A good general rule of thumb is to know what kind of traffic that you are expecting to be on the system, and if traffic significantly increases over this "threshold" log the time, ip address, type of request, and any other user info you hav at the time to log files and have your app notify the local sysadmin. A DoS can never truly be prevented if the attacker is clever enough. You as a developer/architect/whatever simply have to do everything you can to protect the system with what you have.
One approach followed by network applications like SMSCs is "Windowing".
This means that server will process only "N" requests per unit of time. If it ever gets more requests, it will simply return error (you can decide HTTP error code or show some HTML error page).
This will ensure that you will never deny service to your customers by setting the value of "N" to a pragmatic level.
Thank you all a lot for advices. As I see it now, I will try to talk with client and explain that standart DDoS should better be handled at lower OSI level as possible. And also I`ll have to take a deeper look at SUN`s application server oportunities on limitating higher lever DoS.
Thank`s a lot once more!