denial-of-service interview questions
Top denial-of-service frequently asked interview questions
I can't access Plesk Amdin because of DOS attack; can I block a hostname or IP address through SSH? If so, how would I be able to do this?
Thank you!
Source: (StackOverflow)
DDoS (Distributed Denial of Service Attacks) are generally blocked on a server level right?
Is there a way to block it on a PHP level, or at least reduce it?
If not, what is the fastest and most common way to stop DDoS attacks?
Source: (StackOverflow)
I am looking for best practices for detecting and preventing DOS in the service implementation (not external network monitoring). The service handles queries for user, group and attribute information.
What is your favorite source of information on dealing with DOS?
Source: (StackOverflow)
What are the best practices in Django to detect and prevent DoS attacks... Are there any ready to use apps or middleware available which prevents website access and scan through bots?
Source: (StackOverflow)
We're developing a web service hosted in Windows Azure. We expect that at some moments bad guys try to DDOS it. I Googled and didn't find anything new and definitive (this one is rather vague) about whether Windows Azure has some features against denial of service attacks.
Do we need any special measures? What does Windows Azure offer to protect against denial of service attacks?
Source: (StackOverflow)
How is it possible to implement a slowban that will not be a tool for DoS to our site?
The problem is that a deliberate delay in serving an http response will keep server resources busy (web server threads and possibly other subsystems).
Source: (StackOverflow)
I develop a proxy, which runs queries on sql server.
I.e. the users "talks" to proxy ,and proxy sends the client`s requests to the sql server.
I am wondering how to prevent the proxy to be blocked, if one of its clients sends requests which are not legal. In this case sql server will block the proxy ,since eventually the requests are sent from the proxy`s IP. But other proxy clients will not be able to access the proxy ,since the proxy will be blocked. I want to permit the proxy to work as usual,but rather block only the client who attacked.
Source: (StackOverflow)
It seems most people advice going with some sort of hardware solution in load balancers for DOS attacks. I notice if you try to do a curl on any major/semi-major website you get a 301.
For someone with a modest budget, what's the best way to protect against DOS attacks in rails, if there is no solid solution, what's the 2nd best thing someone can do?
Source: (StackOverflow)
I've notice some strange behaviour on my Drupal site. I like to understand the data I'm looking at before I take action so that I don't waste time pursuing the wrong measures, but I'm lacking security knowledge to interpret.
A single account has made many odd repeat requests, including attempting to reach the edit profile page, logging in (successfully - someone noticed the account had 250 active sessions a few days ago), and a huge number of password requests. The account does not have admin rights, and anyone can register for an account.
EDIT: Drupal version is 6.17.
My best guesses at what is going on are as follows:
(1) Joe Evil-doer is using multiple reset password requests as a DOS attack (it's working :< )
(2) Joe Evil-doer is trying to somehow build up a dictionary of possible passwords from his repeated requests (I don't see a way that this would work).
(3) I am a victim of a bunch of transactions failing and attempting to recommit many times over.
Any other scenarios? Does any of this match with up with common Drupal exploits?
Here's the data. I ran the following query on the accesslog table in my database:
select count(*), title, path from accesslog where uid = 999 group by title, path;
With the results below (user ID and page names cleaned up, ofc). Count(*) in each column should indicate the number of requests received for each operation.
+----------+-------------------------+------------------------------------------+
| count(*) | title | path |
+----------+-------------------------+------------------------------------------+
| 16 | | home |
| 1334 | Access denied | user/999/edit |
| 184 | Series | events/series |
| 1 | Home | user/register |
| 1 | Reset password | user/reset/999/123124/a2340a1c1123/login |
| 1 | username | user/999 |
| 5 | username | user/999/edit |
| 1 | username | user/me |
| 904 | User account | user/login |
| 11252 | User account | user/password |
| 288 | User account | user/register |
| 1 | Validate e-mail address | user/validate/999/1283452346/a0f123459e |
+----------+-------------------------+------------------------------------------+
Source: (StackOverflow)
I am currently developing an application for my Networks Security project, which involves launching of smurf attack using C#. Smurf attack includes that u send a packet to any server (let's say yahoo,google) but in your destination u place the ip address of any victim(which the attacker wants to attack . So with this all the host (yahoo ,google) sends response to the victim, if large number of requests are sent then it can also cause denial of service. Now the problem is implementing it in C#, because C# don't allow u to change the packet header, if i use the TcpClient class i can only give the IP + Port of the host to connect but i cannot change anything in the packet header (it automatically places your ip in the destination of the packet), i just want to know that is there any way
that i can access and change the packet header,?
Is there any library which can help me in this context?
Source: (StackOverflow)
What are good programming practices in regards to blocking DoS attacks on a UDP client/server? The only thing that comes to mind at the moment is ignoring packets with the wrong sources, as such (using WinSock2):
if (oSourceAddr.sa_family == AF_INET) {
uSourceAddr = inet_addr(oSourceAddr.sa_data);
if (uSourceAddr == oCorrectDestAddr.sin_addr.S_un.S_addr) {
queueBuffer.push(std::string(aBuffer));
}
}
Attacks that are fast enough might cause this to block in a loop - especially if the packet size is small. Is there a way I can prevent packets from arriving from a certain source, or any source besides the correct one? What other things should I look out for? An explanation in code form would be especially helpful if the solutions are already built into the API.
Source: (StackOverflow)
I'm working my way through UNIX Network Programming Volume 1 by Richard Stevens and attempting to write a TCP Echo Client that uses the Telnet protocol. I'm still in the early stages and attempting to write the read and write functions.
I'd like to write it to use I/O Multiplexing and the Select function, because it needs to be multi-client and I don't want to try and tackle learning C++ threads while I'm trying to learn the Berkeley Sockets library at the same time. At the end of the chapter on I/O Multiplexing Stevens has a small section on DOS attacks where he says that the method I was planning on using is vulnerable to DOS attacks that simply send a single byte after connecting and then hang. He mentions 3 possible solutions afterwards - nonblocking IO, threading (out), and placing a timeout on the I/O operations.
My question is, are there any other ways of avoiding such an attack? And if not, which of these is the best? I glanced over the section on placing a timeout on the operations, but it doesn't look like something I want to do. The methods he suggests for doing it look pretty complex and I'm not sure how to work them into what I already have. I've only glanced at the chapter on NIO, it looks like it's the way to go right now, but I'd like to see if there are any other ways around this before I spend another couple of hours plowing through the chapter.
Any ideas?
Source: (StackOverflow)
I'm looking for a servlet filter library that helps me secure our web service against unauthorized usage and DDoS.
We have "authorized clients" for our web service, so ideally the filter would help detect clients that aren't authorized or behave improperly, or detect multiple people using the same account. Also we need a way to prevent DoS'ing of our various services since we have an open-account policy -- limiting the number of simultaneous connections for a user, etc.
We've looked at the Tomcat LockOutFilter and such but those are fairly primitive and only prevent against one sort of attack.
Of course there are many application-specific components of the solution, but I was wondering if someone had written up a general solution as a starting point.
Source: (StackOverflow)
We have a legacy ASP.NET site which uses the encryption methods here:
http://www.codekeep.net/snippets/af1cd375-059a-4175-93d7-25eea2c5c660.aspx
When we call the following method, the page loads very slowly and eventually Connection Reset is returned:
Decrypt(" ", true);
If the method is called multiple times in subsequent page requests, the Application Pool goes down.
This is occurring on a Windows 2008 server running .NET framework v3.5.
I narrowed the problem down to the TransformFinalBlock() call.
NOTE: on Cassini, I do not get a connection timeout; instead the following exception is thrown:
System.Security.Cryptography.CryptographicException: Bad Data
Calling Decrypt() for other strings causes no problems in any environment.
Why is this happening? Is it a bug in TripleDESCryptoServiceProvider?
Obviously, I could filter the cipherString to reject " " and avoid this particular issue. However, I am worried that some other cipherString values that I am not suspecting will cause the DoS.
UPDATE 2011.06.28
The following is the minimal code to reproduce the issue:
// problem occurs when toEncryptArray is an empty array {}
byte[] toEncryptArray = {};
MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();
byte[] keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes("dummy_key"));
hashmd5.Clear();
TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider();
tdes.Key = keyArray;
tdes.Mode = CipherMode.ECB;
tdes.Padding = PaddingMode.PKCS7;
ICryptoTransform cTransform = tdes.CreateDecryptor();
// the following line can crashes the ASP.NET Application Pool (may need to call multiple times).
byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
tdes.Clear();
Source: (StackOverflow)
I'm developing a website and am sensitive to people screen scraping my data. I'm not worried about scraping one or two pages -- I'm more concerned about someone scraping thousands of pages as the aggregate of that data is much more valuable than a small percentage would be.
I can imagine strategies to block users based on heavy traffic from a single IP address, but the Tor network sets up many circuits that essentially mean a single user's traffic appears to come from different IP addresses over time.
I know that it is possible to detect Tor traffic as when I installed Vidalia with its Firefox extension, google.com presented me with a captcha.
So, how can I detect such requests?
(My website's in ASP.NET MVC 2, but I think any approach used here would be language independent)
Source: (StackOverflow)