prevent恶意请求 - DoS攻击 [英] Prevent Malicious Requests - DOS Attacks

问题描述

我开发一个asp.net MVC的Web应用程序和客户端的请求，我们尽我们所能，使作为弹性尽可能的拒绝服务攻击。他们担心，该网站可能会收到有意向恶意大量请求减缓/取下来的网站。

I'm developing an asp.net MVC web application and the client has request that we try our best to make it as resilient as possible to Denial of Service attacks. They are worried that the site may receive malicious high volume requests with the intention to slow/take down the site.

我曾与产品负责人作为真正被淘汰的职权范围实际Web应用程序的讨论这一点。我认为它属于托管/网络团队负责监控流量和恶意的请求。

I have discussed this with the product owner as really being out of the remit for the actual web application. I believe it falls to the responsibility of the hosting/network team to monitor traffic and respond to malicious requests.

不过，他们坚持认为该应用程序应该把它的一些precautions。他们不希望，虽然实施CAPTCHA。

However they are adamant that the application should have some precautions built into it. They do not want to implement CAPTCHA though.

有人建议，我们限制可为会话的给定时间范围内的请求的数量。我在想这样做这样的事情的
<一href=\"http://stackoverflow.com/questions/33969/best-way-to-implement-request-throttling-in-asp-net-mvc\">Best方法来实现请求限制在ASP.NET MVC 但使用会话ID而不是客户端IP，因为这会造成问题，为用户从公司防火墙后面来了 - ？他们的IP都将是相同的。

It has been suggested that we restrict the number of requests that can be made for a session within a given time frame. I was thinking of doing something like this Best way to implement request throttling in ASP.NET MVC? But using the session id not the client IP as this would cause problems for users coming from behind a corporate firewall - their IP would all be the same.

他们还建议将关闭网站的某些方面的能力 - 这意味着管理员用户可以关闭数据库密集区.....然而，这将通过UI控制，当然，如果是在DOS下攻击一个管理员用户将无法去也无妨。

They have also suggested adding the ability to turn off certain areas of the site - suggesting that an admin user could turn off database intensive areas..... However this would be controlled through the UI and surely if it was under DOS attack an admin user would not be able to get to it anyway.

我的问题是，是不是真的值得这样做呢？当然，真正的DOS攻击会更加先进？

My question is, is it really worth doing this? Surely a real DOS attack would be much more advanced?

你有什么其他的建议？

推荐答案

拒绝服务攻击可以是pretty任何东西会影响你的服务的稳定性其他人。在这种情况下，你在谈论一个网络DoS和已经说过，这通常不会在你的应用程序级别的发生。

A Denial of Service attack can be pretty much anything that would affect the stability of your service for other people. In this case you're talking about a network DoS and as already stated, this generally wouldn't happen at your application level.

在理想情况下，这种攻击将在网络层面缓解。但是也有一些专门为此构建专用的防火墙，如 Cisco ASA 5500系列其中工程它是从基本的保护方式向上通过高通量的缓解。他们是pretty智能盒，我可以拦截这些类型的攻击，只要为你得到正在使用的吞吐​​量的正确型号保证其使用效果。

Ideally, this kind of attack would be mitigated at the network level. There are dedicated firewalls that are built for this such as the Cisco ASA 5500 series which works it's way up from basic protection through to high throughput mitigation. They're pretty smart boxes and I can vouch for their effectiveness at blocking these type of attacks, so long as the correct model for the throughput you're getting is being used.

当然，如果这是不可能有机会获得，这是否给你一个硬件防火墙，也有一些治标不治本，你可以落实到位，以协助这些类型的攻击防御。 请注意，所有这些都将成为连一半效果不如专用防火墙会。

Of course, if it's not possible to have access to a hardware firewall that does this for you, there are some stopgap measures you can put in place to assist with defence from these types of attacks. Please note that none of these are going to be even half as effective as a dedicated firewall would be.

这样的一个例子是IIS模块动态IP限制它允许您定义最大并发请求的限制。然而，在实践中，这有一个缺点，因为它可能会开始阻止从具有用于下载脚本和图像等具有高并发请求可以通过浏览器合法请求

One such example would be the IIS Module Dynamic IP Restrictions which allows you to define a limit of maximum concurrent requests. However, in practice this has a downside in that it may start blocking legitimate requests from browsers that have a high concurrent request throughput for downloading scripts and images etc.

最后，有些东西你可以做的是的真正的原油，也确实的有效的，有点像我所pviously写$ P $。基本上，它是一个小工具，它监视的日志文件从同一IP的重复请求。所以我们可以说超过2秒10的请求 /首页从 1.2.3.4 。如果这个检测，防火墙规则将被添加到阻止来自该IP的请求（在Windows高级防火墙，使用shell命令添加），该规则然后可以在30分钟后左右取出。

Finally, something you could do that is really crude, but also really effective, is something like what I had written previously. Basically, it was a small tool that monitors log files for duplicate requests from the same IP. So let's say 10 requests to /Home over 2 seconds from 1.2.3.4. If this was detected, a firewall rule (in Windows Advanced Firewall, added using the shell commands) would be added to block requests from this IP, the rule could then be removed 30 minutes later or so.

就像我说的，这是非常粗略的，但如果你的有无的在服务器级别做到这一点，你真的没有很多明智的选择，因为它不是它应该做的事。你是完全正确的，该责任有所在于与托管服务提供商。

Like I say, it's very crude, but if you have to do it at the server level, you don't really have many sensible options since it's not where it should be done. You are exactly correct in that the responsibility somewhat lies with the hosting provider.

最后，你是正确的验证码了。如果有的话，它可以通过在执行图象产生（这可能是资源密集型）一遍又一遍，从而更加饥饿的资源协助DoS攻击。一个CAPTCHA是有效尽管时间，将是如果你的网站是通过自动注册机器人被垃圾邮件，但我相信你已经知道了。

Finally, you're right about the CAPTCHA, too. If anything, it could assist with a DoS by performing image generation (which could be resource intensive) over and over again, thus starving your resources even more. The time that a CAPTCHA would be effective though, would be if your site were to be spammed by automated registration bots, but I'm sure you knew that already.

如果您的真正的想要做在应用层面的东西只是为了取悦那是权力，实施在您的​​应用程序基于IP的一些要求限制是可行的，尽管90％的无效（因为你仍然会要处理请求）。

If you really want to do something at application level just to please the powers that be, implementing something IP-based request restriction in your app is doable, albeit 90% ineffective (since you will still have to process the request).

这篇关于prevent恶意请求 - DoS攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！