2

My client would like to have his eCommerce (custom-made) site secured from DDoS attacks. What strategies can I implement? There are multiple forms in the purchasing flow --- searching, drilling-down to the product, user information and payment and I want to avoid captchas.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
gAMBOOKa
  • 979
  • 6
  • 18
  • 33

6 Answers6

5

None of those will really protect from DDoS attacks. The point of a DDoS is to use up so much of the targets bandwidth that no legitimate traffic can get through.

Having a captcha or something will protect from bots, but thats about it.

The only way to mitigate (but not solve) the risk of DDoS attacks is to get more bandwidth and failover agreements with other hosting providers.

Alex
  • 246
  • 1
  • 2
  • But don't DDoS attacks use zombie computers to run bot scripts? – gAMBOOKa Aug 31 '09 at 17:34
  • Some do. A simple DDoS is to find out what server your site is on and simply flood it with page requests. That is essentially what is happening when a site gets slash-dotted. – EBGreen Aug 31 '09 at 17:37
  • 2
    @gAMBOOKa: Yes, typically. Can your captcha code handle millions of requests a second? Can your hosting provider? – Michael Petrotta Aug 31 '09 at 17:38
2

There is nothing to prevent DDoS attacks, there is no single tool to mitigate them, you can only raise the bar, having a good firewall and some thresholds (automatic rejects, even banning) for accessing the different services/pages if you know the average use of the site

BlackTigerX
  • 319
  • 1
  • 3
  • 8
2

Squid can help with slashdotting. It will help your system handle large volumes of identical requests without pounding the hardware so hard. http://en.wikipedia.org/wiki/Squid_(software)

1

You can install mod_evasive if you are using Apache - a short description can be found here: http://www.think-security.com/protect-your-apache-web-server-with-mod_evasive/

1

This guy has a way to help with application code. Not sure if it works for your language of choice, but the idea is good. Nothing is capable of stopping all attacks, but you can try to make it difficult for them =)

StingyJack
  • 219
  • 2
  • 8
0

A good relationship with your bandwidth provider is about the only thing that can help you mitigate a DDoS attack. The reason being that once the traffic hits your wire, it is effectively taking up bandwidth, so there's nothing you can put on your side that will help. Being able to work with your ISP to filter out DDoS traffic before it comes down the wire at you is both the only way to keep the traffic off of your circuit as well as the best way to escalate the issue (the ISP will likely try to filter the traffic coming into their network as well). Your ISP will be considerably more effective if other ISPs need to be contacted to shut down bot hosts...

Greeblesnort
  • 1,739
  • 8
  • 10