Prevent Denial of Service (DOS) attacks in your web application

clean credit

clean credit — Mon, 05 Oct 2009 15:59:15 GMT

I only wish I had found it sooner.

re: Prevent Denial of Service (DOS) attacks in your web application

KiwiCoder — Thu, 09 Jul 2009 02:55:40 GMT

I created the following to replace the Profile.IsFirstVisit

public bool IsFirstVisit()

{

if (Session["IsFirstVisit"] == null)

{

Session["IsFirstVisit"] = "false";

return true;

}

else

{

return false;

}

re: Prevent Denial of Service (DOS) attacks in your web application

James — Mon, 03 Nov 2008 18:42:17 GMT

I need help! Someone threatened to ddos my site! What should i do?!

re: Prevent Denial of Service (DOS) attacks in your web application

Aristos — Mon, 13 Oct 2008 10:29:07 GMT

This is a joke or a bug ?

if( context.Request.Browser.Crawler )

return false; <----

you do not won crawlers on your site ?

re: Prevent Denial of Service (DOS) attacks in your web application

omar — Mon, 13 Oct 2008 07:57:32 GMT

Don't want to do the calculation on each and every call. Only where expensive operations are performed.

re: Prevent Denial of Service (DOS) attacks in your web application

Psul — Mon, 13 Oct 2008 07:05:30 GMT

Why you didn't write this ddos-protection code in HttpModule. It will be faster to process request and denie them (if ddos detected) on HttpModule level, isn't it?

re: Prevent Denial of Service (DOS) attacks in your web application

omar — Tue, 16 Sep 2008 18:31:28 GMT

As the cache is in-memory cache, the Hit object is referenced as By Ref. So, making any modification to the object updates the actual object inside the cache.

re: Prevent Denial of Service (DOS) attacks in your web application

Andrew — Tue, 16 Sep 2008 18:14:55 GMT

Hi Omar,

Thanks for the info, I was wondering why you dont replace the cached item after updating the HitInfo.Hit? Is the object in cache a different copy of the object that is incremented?

"if( hit.Hits == 1 )

context.Cache.Add(key, hit, null, DateTime.Now.AddMinutes(DURATION),

System.Web.Caching.Cache.NoSlidingExpiration, System.Web.Caching.CacheItemPriority.Normal, null);"

Why not

if (hit.Hits > 1) {

Cache.Remove(key);

}

Cache.Add(<all those params>);

re: Prevent Denial of Service (DOS) attacks in your web application

omar — Wed, 03 Sep 2008 08:43:56 GMT

Please read this para:

"Of course you can put in some Cisco firewall and prevent DOS attack. You will get guaranty from your hosting provider that their entire network is immune to DOS and DDOS (Distributed DOS) attacks. What they guaranty is network level attack like TCP SYN attacks or malformed packet floods etc. There is no way they can analyze the packet and find out a particular IP is trying to load the site too many times without supporting cookie or trying to add too many widgets. These are called application level DOS attack which hardware cannot prevent. It must be implemented in your own code."

You cannot add logics like someone is trying to add too many widgets on your Firewall/Hardware/Routers.

re: Prevent Denial of Service (DOS) attacks in your web application

Wed, 03 Sep 2008 08:33:40 GMT

Denial of Service Attack Prevention should be done at Hardware/Firewall leve, NOT in your web-application.

It is too expensive and error-prone to do it in your application. FireWalls/Hardware/Routers are adept at doing such a thing.

WHAT AM I MISSING?

Joe — Fri, 29 Aug 2008 21:52:53 GMT

>>It's a custom boolean property that I added to Profile.

1. What is a "Profile?" What is a "HitInfo?" What is a "Profile.IsFirstVisit?" Are these things just pulled out of thin air? These things are unknown in MSDN.

2. Also, why is a "var" being used in C#?

>>var hit =(HitInfo)(context.Cache[key] ??

new HitInfo());

3. What class does OnInit derive from?

Am I the only one that cannot compile this example at all?

Do you have a downloadable file Omar? What references did you set up?

re: Prevent Denial of Service (DOS) attacks in your web application

Tarek — Mon, 11 Aug 2008 18:25:21 GMT

Can someone give me more info. on the following:

Profile.Isfirstvist??

Do we have to create this property.. It is not a profile property..

Where we getting the hitinfo() class from? I cant seem to find its source..

Any help is greatly appreciated..

re: Prevent Denial of Service (DOS) attacks in your web application

omar — Thu, 26 Jun 2008 11:23:44 GMT

Waleed,

ASP.NET does not handle requests to static files like JS, CSS, html etc unless you have Wildcard mapping turned on. So, this code only protects calls going to ASP.NET

Peter Tran,

You can take out the Crawler check. My intention was to prevent crawler. But that prevents valid crawlers as well. You can also check if the Crawler name is "Unknown".

mlb,

Proxies that hide user's IP and uses the public IP of the proxy will be treated as one IP. So, you just adjust the threshold values in such a way that it allows such proxies, but also prevents request floods.

Google Me,

This prevents Application level DDOS to some extent. It saves your application from burning out CPU/DISK. As the check is minimal code, it takes much less CPU then actually executing a page or some functionality.

Network level DOS attacks are protected by Firewalls.

re: Prevent Denial of Service (DOS) attacks in your web application

Google Me — Wed, 25 Jun 2008 21:02:54 GMT

This isn't DDOS prevention.

Your web server still has to accept the connection and work with it, thereby being busy.

So an attacker can still lock up your web server.

For a better DDOS prevention you have to work at the firewall level - but it's still not perfect.

re: Prevent Denial of Service (DOS) attacks in your web application

mlb — Wed, 25 Jun 2008 19:48:26 GMT

Hello Omar, question:

What about if it's a company using only one IP address(external) behind a router doing NAT? Employees try to access the webapp and will they be denied to access it?

re: Prevent Denial of Service (DOS) attacks in your web application

Peter Tran — Mon, 05 May 2008 22:22:02 GMT

Great article. However, I am trying to understand why your code does not allow search engines in? Your code returns false for 'not valid' when checking for context.Request.Browser.Crawler. Doesn't that prevent search engines from indexing your page?

re: Prevent Denial of Service (DOS) attacks in your web application

Waleed Eissa — Fri, 18 Apr 2008 05:14:33 GMT

Hi Omar,

Thanks for your article, I wonder though whether there's any built-in features in IIS that could help stop DOS attacks. Your code is very good but the problem is that you have to make ASP.NET handle all files as the attack could be done by trying to download any type of files, images, js files .. etc

通过程序使你的网站预防DOS攻击的能力 --提高站点的安全性

jecray — Sat, 08 Dec 2007 14:17:03 GMT

如果不对客户端采取访问控制策略，一个网站很容易被DOS攻击。因此有必要采取措施。本文简单的介绍了如何通过程序预防dos攻击。

re: Prevent Denial of Service (DOS) attacks in your web application

Abishek Bellamkonda — Fri, 05 Oct 2007 01:24:48 GMT

IP addresses can be faked. As a matter of fact MAC addresses can b faked too. I don't know any solution that can really prevent DOS. Also organised DOS attack spread across a continent would be worst.

re: Prevent Denial of Service (DOS) attacks in your web application

Abishek Bellamkonda — Fri, 05 Oct 2007 00:59:56 GMT

Mate, you write very interesting stuff. You do realise that if someone wants to do a DOS badly, you cannot stop it right?

Apart from shutting the machine.