Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 10 years ago.
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
接受
或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
发布评论
评论(3)
我第一次尝试解决 DoS 漏洞时使用了 Gulzar 建议的方法,基本上是限制同一 IP 地址允许的调用数量。 我认为这是一个很好的方法,但不幸的是,它导致我的代码未能通过性能测试。
由于我无法让性能测试组更改他们的测试(这是一个政治问题,而不是技术问题),因此我改为限制在可配置的时间间隔内允许的调用数量。 我对最大呼叫次数和时间间隔进行了配置。 我还允许设置 0 或负数来禁用限制。
需要保护的代码由多个产品内部使用。 因此,我让每个产品组运行他们的 QA 和性能测试套件,并提出尽可能小的默认值以限制真正的 DoS 攻击,但仍然通过了所有测试。
FWIW,时间间隔为30秒,最大调用次数为100。这不是一个完全令人满意的方法,但它简单实用并且得到了公司安全团队的批准(另一个政治考虑)。
My first attempt to solve the DoS vulnerability used the approach suggested by Gulzar, which is basically to limit the number of calls allowed from the same IP address. I think it's a good approach, but, unfortunately, it caused my code to fail a performance test.
Since I was unable to get the performance test group to change their test (a political problem, not a technical one), I changed to limiting the number of calls allowed during a configurable interval. I made both the maximum number of calls and the time interval configurable. I also allowed setting a value of 0 or a negative number which disables the limits.
The code that needed to be protected is used internally by several products. So, I had each product group run their QA and performance test suites and came up with default values that were as small as possible to limit a real DoS attack but still passed all the tests.
FWIW, the time interval was 30 seconds and the maximum number of calls was 100. This is not a completely satisfactory approach, but it is simple and practical and was approved by the corporate security team (another political consideration).
无论您针对 DoS 攻击采取什么措施,请考虑一下您所做的操作是否实际上会增加处理恶意或不需要的请求所需的负载!
如果您使用 Linux 那么您应该阅读这篇文章:
基于规则的 DoS 攻击预防 shell 脚本(来自 Linux Gazette)
它有以下主题:
/var/log/secure 文件
从临时文件中
在没有正确限制 iptables 中阻止的 IP 数量的情况下应用此脚本可能会通过增加处理未经请求的请求所需的资源来引入 DoS 漏洞。
为了降低这种风险,请使用 ipset 来匹配 iptables 中的 IP 地址。
另外,请阅读使用 iptables 预防 ssh 字典攻击。 (按照此处的建议启用具有状态防火墙的 iptables 并不能防止大多数 DoS 攻击,但实际上可以缓解 DoS 攻击,这些攻击会用无用的状态信息污染您的 RAM。)
Linux 新手? 阅读 Windows 到 Linux 路线图:第 5 部分:Linux 日志记录 IBM 的。
祝你好运!
Whatever you do against DoS-Attacks, think if what you do may actually increase the the load required to handle malicious or unwanted requests!
If you are using Linux then you should read this article:
Rule-based DoS attacks prevention shell script (from Linux Gazette)
It has the following topics:
/var/log/secure file
from the temporary file
Applying this without properly restricting the number of blocked IPs in iptables may intro a DoS-Vulnerability by increasing the requiered resources to handel unsolicited requests.
To reduces that risk use ipset to match IP-Addresses in iptables.
Also, read about ssh dictionary attack prevention using iptables. (enabling iptables with stateful firewalling as suggested here does not protect against most DoS-Attacks against but may actually ease DoS-Attacks that pollute your RAM with useless state info.)
New to Linux? read the Windows-to-Linux roadmap: Part 5. Linux logging of IBM.
Good Luck!
我发现这是一项非常有用的技术..
防止 Web 应用程序中的拒绝服务 (DOS) 攻击
This is a technique I found very useful..
Prevent Denial of Service (DOS) attacks in your web application