If an attack (DoS & DDoS) involves thousands of bots, how can the server distinguish them from legitimate clients?
Asked
Active
Viewed 929 times
1
-
1What kind of "attack" are you talking about? – Philipp Nov 05 '14 at 12:37
-
1i am talking about DoS & DDoS Attacks! – Cert Nov 05 '14 at 14:30
-
Then please edit your question to say so. – Philipp Nov 05 '14 at 14:34
-
possible duplicate of [How can I detect and block bots?](http://security.stackexchange.com/questions/4759/how-can-i-detect-and-block-bots) – schroeder Nov 05 '14 at 15:29
1 Answers
1
It's going to vary for every single attack. With DoS attacks, you can looks for attributes that are different than "real" requests, say values that are out of range, or the lack or specific format of a particular piece of data like a user-agent or referer in a HTTP request.
Generally speaking for DDoS attacks, if the traffic gets to the server, you've lost, and it doesn't matter. DDoS attacks are purely designed to choke resources and the most common bottleneck is the network bandwidth. You can potentially identify characteristics of a DDoS attack, but it almost always needs to be identified and managed upstream so the traffic never reaches your servers.
Xander
- 35,525
- 27
- 113
- 141
-
Hi Xander, could you please explain some more on what's your mean by "_but it almost always needs to be identified and managed upstream so the traffic never reaches your servers_" ? – frogatto Nov 09 '14 at 19:06
-
@ABFORCE A DDoS attack will often overwhelm the capacity of your network bandwidth, and with attacks getting larger and larger, they're more frequently many multiples of your bandwidth. When this is the case, it doesn't matter how obvious it is, it's already blocked the real traffic and by the time it gets to you it's too late. So, you need your ISP, your CDN, and their peers, the people who have the huge core pipes, to identify this traffic and stop it from being routed to you in the first place. – Xander Nov 10 '14 at 13:50