2

What is the best way to defend your website against HTTP flood POST/GET attacks?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user19775
  • 191
  • 2
  • 4
  • 9

2 Answers2

4

depending on your implementation, it can be done three (3) ways:

1. application layer approach:

  • set an authentication on your web server or application. this can be done by allowing only POST/GET functionality through an identified list of authenticated and authorized users.
  • authorized requests only from known IP range.
  • authorized requests from all and block certain IP range.
  • do a 301 to any non-authenticated/non-authorized users.

2. network layer approach:

this is far more practical considering you are deciding for the fate of the packet right before it reaches the other end or even if it had already completed the 3-way handshake. consider these examples:

a. restrict the number of concurrent connections per IP on your firewall. this will give you the ability to define how many connections can a client requests simultaneously.

in iptables, you can do this by:

 # iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP

in openbsd, you can do this in pf.conf:

 pass in on $ext_if proto tcp to $web_server \
     port www keep state \
     (max 200, source-track rule, max-src-nodes 100, max-src-states 3)

where it means:

Limit the absolute maximum number of states that this rule can create to 200
Enable source tracking; limit state creation based on states created by this rule only
Limit the maximum number of nodes that can simultaneously create state to 100
Limit the maximum number of simultaneous states per source IP to 3

b. for pf, you can filter the traffic by matching the tcp packets based on flags and decide for your next rule.

3. do an combination of an application layer and a network layer approach

John Santos
  • 633
  • 3
  • 9
2

Although there is not solution that can provide a complete protection against DoS attacks such as flooding. Mitigation against DoS attacks may requires help from the upstream ISP.But what we can do to defend our website is to scale our website with load balancer and caching.I recommend a read on this paper "Leveraging the Load Balancer to Fight DDoS".

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61