保护自己免受Dos攻击 [英] Protect yourself against Dos attacks

问题描述

这可能更适合Serverfault，但是许多只来这里的Web开发人员可能会从此问题的可能答案中受益。

This might be something more suited for Serverfault, but many webdevelopers who come only here will probably benefit from possible answers to this question.

问题是：如何做您可以有效地保护自己免受针对您的Web服务器的拒绝服务攻击吗？

The question is: How do you effectively protect yourself against Denial Of Service attacks against your webserver?

我在阅读文章

对于不熟悉的人，这是我所记得的：DoS攻击将尝试通过向服务器重复发送虚假报头来占用所有连接。

For those not familiar, here's what I remember about it: a DoS attack will attempt to occupy all your connections by repeatedly sending bogus headers to your servers.

这样做，您的服务器将达到可能同时连接的限制，因此，正常用户无法再访问您的网站。

By doing so, your server will reach the limit of possible simultanious connections and as a result, normal users can't acces your site anymore.

Wikipedia提供了更多信息： http://zh.wikipedia.org/wiki/Denial_of_service

Wikipedia provides some more info: http://en.wikipedia.org/wiki/Denial_of_service

推荐答案

没有灵丹妙药，但是您可以通过以下一些操作来使DoS攻击更加困难：

There's no panacea, but you can make DoS attacks more difficult by doing some of the following:

• 不要（或限制您的愿意）代表未经身份验证的客户端执行昂贵的操作


• 节流身份验证尝试


• 代表每个经过身份验证的客户端执行的节流操作，并放置其帐户如果他们在短时间内做了太多事情，则将其暂时锁定


• 对所有未经身份验证的客户端具有类似的全局限制，如果检测到正在进行的攻击，则准备降低此设置


• 具有可在攻击过程中使用的标志，以禁用所有未经身份验证的访问


• 不要代表未经身份验证的客户端存储内容，并使用配额以限制每个经过身份验证的客户端的存储空间。


• 通常，请尽快拒绝所有格式错误，不合理复杂或不合理的巨大请求（并记录它们以帮助检测攻击）


• 如果未经身份验证的客户端发出的请求可能导致将该缓存中的内容逐出，请不要使用纯LRU缓存，因为您将遭受缓存中毒攻击（恶意客户端会在其中要求对于很多其他不常用的东西，导致您从缓存中逐出所有有用的东西，需要做更多的工作来服务您的合法客户）

• Don't (or limit your willingness to) do expensive operations on behalf of unauthenticated clients
• Throttle authentication attempts
• Throttle operations performed on behalf of each authenticated client, and place their account on a temporary lockout if they do too many things in too short a time
• Have a similar global throttle for all unauthenticated clients, and be prepared to lower this setting if you detect an attack in progress
• Have a flag you can use during an attack to disable all unauthenticated access
• Don't store things on behalf of unauthenticated clients, and use a quota to limit the storage for each authenticated client
• In general, reject all malformed, unreasonably complicated, or unreasonably huge requests as quickly as possible (and log them to aid in detection of an attack)
• Don't use a pure LRU cache if requests from unauthenticated clients can result in evicting things from that cache, because you will be subject to cache poisoning attacks (where a malicious client asks for lots of different infrequently used things, causing you to evict all the useful things from your cache and need to do much more work to serve your legitimate clients)

请记住，彻底拒绝受限制的请求很重要（例如，使用 HTTP 503：服务不可用响应或适用于您所使用的任何协议的类似响应），而不是对受限制的请求进行排队。如果您将它们排入队列，队列将耗尽所有内存，DoS攻击至少会像没有节流一样有效。

Remember, it's important to outright reject throttled requests (for example, with an HTTP 503: Service Unavailable response or a similar response appropriate to whatever protocol you are using) rather than queueing throttled requests. If you queue them, the queue will just eat up all your memory and the DoS attack will be at least as effective as it would have been without the throttling.

更多针对HTTP服务器的具体建议：

Some more specific advice for the HTTP servers:

• 确保您的网络服务器配置为拒绝 POST 没有附带 Content-Length 标头的消息，并拒绝超出规定的 Content-Length 的请求（并限制违规客户端） code>，并拒绝带有 Content-Length 的请求，该请求对于 POST （或 PUT ）的目标是



• Make sure your web server is configured to reject POST messages without an accompanying Content-Length header, and to reject requests (and throttle the offending client) which exceed the stated Content-Length, and to reject requests with a Content-Length which is unreasonably long for the service that the POST (or PUT) is aimed at

这篇关于保护自己免受Dos攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！