preventing DDoS attacks

DDoS = Distributed Denial of Service – if you didn’t know this article is probably NOT for you!

anyways usually what happens is that the attacker sends millions of requests to a server (http,dns,sql etc) and overwhelms the servers to a point that noone gets a response in time, or the server stalls or crashes.

to defend we need to measure the timing: drones send requests from a single IP usually as fast as they can, or in regular intervals. statistics can show which requests are legit. a normal user will send 1,2 or 3 requests to the same URL, and then give up in vain and move on to another site to visit. the first request will have the longest wait time since you expect load times, then the user gets impatient, angrily hits reload a few times before trying other sites. also unlikely the user will try other GET requests within milliseconds from the same IP but with different browser. ALL this data AND its timing need to be recorded and then, if found to be legit, the second and third requests answered. statistics can help determine if the attacker systems use the same software – eg manipulating a few header bits on the server side to determine user system behavior. a power-user might try two or three different browser to get a site to work, but even that takes time IF done manually.

of course a smart attacker knows these tricks, but he can’t go thru a block protecting the servers! filtering uses a lot less system resources than serving a single request. there is a risk of denying a legit and confused user access that hits refresh 10 times, but the benefit for the many outdo the benefit for the few! you could always remember the unfortunate IP later and when the server is idle again get back to it