How to prevent DOS attacks on my http server which written in node.js?

Asked 22/12, 2011 at 22:3 Answered 25/3, 2014 at 2:4

using node.js, the net module for building a tcp server which can hande http requests.

I would like to prevent dos attacks so what I have done is somthing like this:

if (status.numOfCurrentRequests + 1 >= MAX_NUM_OF_CONNECTIONS) {
    socket.end();
    return; 
}

I was wondering if it is better to use :

socket.destroy();

from the API :

socket.destroy() # Ensures that no more I/O activity happens on this socket. Only necessary in case of errors (parse error or so).

what are the differences and benefits?

Element answered 22/12, 2011 at 22:3 Comment(1)

why not use the firewall for limiting maximum number of connections? – Standup 22/12, 2011 at 22:19

A DOS attack really shouldn't be handled by your HTTP server. Once a request has reached it the attacker has 'won' by taking up a connection (no matter how short). Even if they are short they can just slam it with thousands/sec and prevent anyone else from connecting. Also, they might not attempt to 'connect' via TCP and just flood the server with all sorts of requests.

Block/detect DOS attacks at a lower level or via a firewall, which I'm sure many software and hardware versions support some basic types of DOS detection and prevention.

Ea answered 22/12, 2011 at 22:47 Comment(3)

There are people who recommend to use random token as identifier in autologin cookie best practice because of DoS prevention. They seem to disagree with your approach. :) – Acceptor 12/3, 2015 at 8:36

"Once a request has reached it the attacker has 'won' by taking up a connection (no matter how short)." Well that depends on what kind of server this is and for what purpose it exists. – Rheotaxis 22/2, 2021 at 22:49

@Acceptor random token seems to be a good idea, but the problem is the cost of generating them all the time. – Prevost 12/7, 2022 at 5:57

from the API if it helps anyone, should be used smartly :

 server.pause(msecs)

Stop accepting connections for the given number of milliseconds (default is one second). This could be useful for throttling new connections against DoS attacks or other oversubscription.

Element answered 26/12, 2011 at 23:1 Comment(0)

Total.js Framework: https://github.com/totaljs/modules/blob/master/ddos/ddos.js

var counter = 0;
var ip = {};
var ban = {};
var ban_length = 0;
var interval = 0;
exports.install = function () {
    framework.onRequest = function (req, res) {
        if (ban_length > 0 && ban[req.ip]) {
            req.connection.destroy();
            return true
        }
        var count = (ip[req.ip] || 0) + 1;
        ip[req.ip] = count;
        if (count === 1) counter++;
        if (count < exports.options.maximum) return false;
        ban[req.ip] = exports.options.minutes + 1;
        ban_length++;
        return true
    };
    setInterval(function () {
        interval++;
        var keys;
        var length;
        var count;
        if (ban_length > 0 && interval % 60 === 0) {
            keys = Object.keys(ban);
            length = keys.length;
            count = 0;
            for (var i = 0; i < length; i++) {
                var key = keys[i];
                if (ban[key]-- > 0) continue;
                ban_length--;
                delete ban[key]
            }
            if (ban_length < 0) ban_length = 0
        }
        if (counter <= 0) return;
        keys = Object.keys(ip);
        length = keys.length;
        counter = length;
        for (var i = 0; i < length; i++) {
            var key = keys[i];
            var count = ip[key]--;
            if (count > 0) continue;
            counter--;
            delete ip[key]
        }
        if (counter < 0) counter = 0
    }, 1e3)
};
exports.usage = function () {
    return {
        bans: ban_length
    }
};
exports.options = {
    maximum: 1e3,
    minutes: 5
};

Biddie answered 25/3, 2014 at 2:4 Comment(0)

Recommended topics

Hot tags