ddos interview questions
Top ddos frequently asked interview questions
So, I'd like to get more experience working with high-traffic websites, but unfortunately the Internet is not beating down the doors to my blog.
How can I simulate tens/hundreds of hits per second on my blog and test its performance? I'm hosting my blog with an SSH account on a shared server.
Source: (StackOverflow)
I heard that AWS protects customer from DDoS attacking but I can't find any document mention that. Could you give me any site which tells about this?
Source: (StackOverflow)
DDoS (Distributed Denial of Service Attacks) are generally blocked on a server level right?
Is there a way to block it on a PHP level, or at least reduce it?
If not, what is the fastest and most common way to stop DDoS attacks?
Source: (StackOverflow)
What techniques and/or modules are available to implement robust rate limiting (requests|bytes/ip/unit time) in apache?
Source: (StackOverflow)
I have been learning node.js and socket.io lately. My question is how can I protect server against client side attacks?
This is my server code
io.sockets.on('connection', function (socket) {
//users.push(socket);
socket.on('message', function (data) {
socket.on('disconnect', function () { });
socket.on('bcast', function (data) {
socket.emit('news', { 'data': data });
socket.broadcast.emit('news', { 'data': data });
});
socket.on('login', function(data){
socket.emit('login', {'data': [ socket.id, data ] });
});
});
});
For example if a client uses chrome developer tools to do the flowing code
for(var i = 0; i<99999999999; i++)
{
socket.emit('bcast', {data: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'});
}
its going to kill the server.
Source: (StackOverflow)
I don't want someone keep F5 my site or using some tool to request the page frequently.
That is to say, prevent an Action or the Controller to be invoked frequently by one client.
How can I implement this? Is there any package I can use? just like AntiXSS library.
Source: (StackOverflow)
I'm having an issue with a web service with users trying to guess application IDs by looping over random IDs.
The bad requests are coming from random IPs, so I cannot just ban their IP (unless I do it dynamically, but I'm not looking into that yet).
Currently when I detect a client that has made 10 bad app ID attempts I put them on a block list in my app, and reject further requests from that IP for the day.
I want to minimize the amount of work my server needs to do, as the bad client will continue to send 1000s of requests even though they get rejected. I know there are dynamic Firewall solutions, but want something easy to implement in my app for now. Currently I am sleeping for 5 seconds to reduce the calls, but what I want to do is just not send a response to the client, so it has to timeout.
Anyone know how to do this in Java, in JAX-RS?
My service is like,
@Path("/api")
public class MyServer {
@GET
@Consumes(MediaType.APPLICATION_XML)
@Produces(MediaType.APPLICATION_XML)
@Path("/my-request")
public String myRequest(String type,
@Context HttpServletRequest requestContext,
@Context HttpServletResponse response) {
...
}
See:
How to stop hack/DOS attack on web API
Source: (StackOverflow)
I am just thinking of moving a website from a VPS to Windows Azure Web Sites. After doing a load test, I accidentally took down my test website, using around 30MB over the daily bandwidth.
This made me wonder what would happen if my website was suddenly hit by a DDOS attack? I'm pretty sure everything would max out the daily and hourly limits in no time, even worse, redirecting all the users to the azure over limit notification.
Is there anything that can be done about that? I know the daily bandwidth limit will be harder to reach after I put all the images on a CDN, but I'm afraid what would happen if there's a spike or something.
Sorry for such an answer with no head and tail. I hope you guys will understand.
Source: (StackOverflow)
I am trying to write a script to prevent brute-force login attempts in a website I'm building. The logic goes something like this:
- User sends login information.
- Check if username and password is correct
- If Yes, let them in.
- If No, record a failed attempt in the database. Check if there's too many fails within a given timeframe (eg: 5 in 5 minutes):
- If Yes, then pause execution for 10 seconds:
sleep(10)
, then report a login failure to the user.
- Report a login failure to the user immediately
Explaining this to a co-worker, I was asked how this would help if a hacker sent, say, 1000 requests in one second. Would the first 5 would return immediately, and then the remaining 995 all take only 10 seconds?
I have a sneaking suspicion that I don't fully understand how HTTP works - is that situation above even possible, or is there a limit to the number of concurrent requests that a server will handle from one client?
Would a better solution be to have an increasing sleep time?
sleep($numRequestsInLast5Minutes - 5)
So the first 5 would be fast, and then every subsequent one would increase the sleep.
Source: (StackOverflow)
I'm developing an asp.net MVC web application and the client has request that we try our best to make it as resilient as possible to Denial of Service attacks. They are worried that the site may receive malicious high volume requests with the intention to slow/take down the site.
I have discussed this with the product owner as really being out of the remit for the actual web application. I believe it falls to the responsibility of the hosting/network team to monitor traffic and respond to malicious requests.
However they are adamant that the application should have some precautions built into it. They do not want to implement CAPTCHA though.
It has been suggested that we restrict the number of requests that can be made for a session within a given time frame. I was thinking of doing something like this
Best way to implement request throttling in ASP.NET MVC? But using the session id not the client IP as this would cause problems for users coming from behind a corporate firewall - their IP would all be the same.
They have also suggested adding the ability to turn off certain areas of the site - suggesting that an admin user could turn off database intensive areas..... However this would be controlled through the UI and surely if it was under DOS attack an admin user would not be able to get to it anyway.
My question is, is it really worth doing this? Surely a real DOS attack would be much more advanced?
Do you have any other suggestions?
Source: (StackOverflow)
I have an idea for a website that I would like to develop and release. It is a web application that I would like to implement on some form of cloud-based web hosting service (i.e. the Google App Engine, Amazon Web Services, others that I may not be aware of...)
My problem is that even though my project is 100% legal, and not shady, it is highly susceptible to occasional DDOS attacks.
I've previously developed for the GAE and I am quite biased toward it. However, I can't seem to find that the Google service has any form of integrated DDOS protection. In fact, Google's on documentation states that if you think you've experienced a DDOS attack, you must provide the burden-of-proof, which they will research. If they think you have been attacked, they will reimburse you usage fees. Otherwise, you are left on your own.
Are there better, cloud-based hosting alternatives? I have my preferences, but I'm not married to any specific type of architecture or programming language.
What are my best cloud-based web hosting options for DDOS protection?
Source: (StackOverflow)
I'm implementing a device that ought to respond to SSDP M-SEARCH
queries.
I'm a device vendor and I don't have control where these devices will be deployed.
There's a known DDoS attack that uses SSDP search amplification, that is attacker sends search requests from a fake address and poorly coded SSDP server responds to that fake address. Fake address ends up hammered.
What should I do to prevent my device from being used in such an attack?
- Only set TTL=2 and rely on routers to drop the packets
- Only respond to requests from own subnet
- Add configuration option for valid query origin subnets
- Guess what IP addresses are "local" and "global"
- Add a response throttle, hope for the best
- Your suggestions?
Wrt 1. TTL ought to configurable per SSDP spec; Even if it's quite low responses still leak out of local network. If there's a bridged VPN on the network, responses leak out quite far.
Wrt 2. I can imagine corporate networks where multiple subnets are reachable (e.g. one subnet for wireless clients, another for desktops, yet another for servers) and thus my device must be searchable across subnets (though subject to TTL per spec).
Wrt 3. Configuration and maintenance hassle.
Wrt 4. Is there a reliable way to do that? What about IPv6? What about networks that have e.g. /28 slice of global addresses?
Wrt 5. A trickle from a myriad devices still amounts to a torrent...
Ref: https://blog.sucuri.net/2014/09/quick-analysis-of-a-ddos-attack-using-ssdp.html
Source: (StackOverflow)
I am designing a RESTful API that is intended to be consumed by a single-page application and a native mobile app. Some calls of this API return public results that can be cached for a certain time. Moreover, there is a need for rate protection to protect the API against unauthorized users (spiders)
Can I use Cloudflare to implement caching and rate-limiting / DDOS protection for my RESTful API?
Caching: Cloudflare supports HTTP cache control headers so the API can decide for each entity requested via GET whether is public and how long it can be cached.
- However it is not clear whether the cache control header is also passed downstream to client, so will also trigger the browser to cache the response? This may not be desirable, as it could make troubleshooting more difficult
- Akamai has an Edge-Control header to ensure content is cached in CDN but not the browser. Can one do something similar with Cloudflare?
DDOS Protection: Cloudflare support has an article recommending that DDOS protection be disabled for backend APIs, but this does not apply to my use case where each client is supposed to make few requests to the API. The native DDOS protection actually fits my requirements for protecting the API against bots.
I need to know how I can programatically detect when Cloudflare serves a Captcha / I'm under attack etc. page This would then allow the SPA / mobile app to react intelligently, and redirect the user to a web view where she can demonstrate her "hummanness".
From Cloudflare documentation, it is not obvious what HTTP status code is sent when a DDOS challenge is presented. An open-source cloudscraper to bypass Cloudflare DDOS protection seems to indicate that Captcha and challenge pages are delivered with HTTP status 200. Is there a better way than parsing the request body to find out whether DDOS protection kicked in?
Cloudflare apparently uses cookies to record who solved the Captcha successfully. This obviously creates some extra complexity with native apps. Is there a good way to transfer the Cloudflare session cookies back to a native app after the challenge has been solved?
Probably this is something of an advanced Cloudflare use case - but I think it's promising and would be happy to hear if anyone has experience with something like this (on Cloudflare or another CDN).
Source: (StackOverflow)
I am writing a web server application in C# and using StreamReader class to read from an underlying NetworkStream:
NetworkStream ns = new NetworkStream(clientSocket);
StreamReader sr = new StreamReader(ns);
String request = sr.ReadLine();
This code is prone to DoS attacks because if the attacker never disconnects we will never finish reading the line. Is there any way to limit the number of characters read by StreamReader.ReadLine() in .NET?
Source: (StackOverflow)
My understanding is that the only way to really mitigate a DDoS attack is to automate the process of blacklisting IP addresses/ranges.
Google App Engine (GAE) allows you to configure and upload a dos.xml
file and specify IP addresses/ranges to blacklist at any given time.
Obviously, if my web app is under a well-orchestrated DDoS attack, the IP addresses/ranges that will be attacking me will be constantly changing.
How often does GAE allow me to update dos.xml
? How long does it take the changes to go into effect? I ask because I'm devising an AutoBlacklister
system that inspects the IP addresses that it believes to be the attackers, and will update dos.xml
dynamically. If there are more than 100 attackers (GAE restricts you to 100 address/ranges) then only the Top 100 "worst offenders" will be on the list.
But, if dos.xml
can only be updated with a certain periodicity (like once a day, etc.), and if it takes too long (more than a few minutes!) to take effect,then this system is pretty much useless against a real DDoS.
Also, this question assumes there's a way to automate the uploading of dos.xml
: is there? I would imagine there's a secure URL I could upload the file to with something like HttpClient
, but with GAE, you never know what terms/restrictions you're going to face! Thanks in advance!
Source: (StackOverflow)