0

I came up with an model to reduce DoS and DDoS attacks and would like your input on its effectiveness... enter image description here

Basically, once a request reaches our servers without having a valid key, we add a key as a query parameter of the url, then return a redirect response to the client with the same url but with a valid key.

Then we can use this key to throttle the requests instead of using an IP Address.

I understand that the attacker might still make millions of new requests to the server, but redirecting the client should be fairly lighter than say downloading a video or large file.

What do you think?

McKabue
  • 107
  • 2
  • How do you expect reducing DoS and DDoS if you still have to serve a trillion valid keys and then validate those trillion of queries with /or without) the key? You are killing yourself in the very first loop of the protocol. – Laiv Dec 16 '19 at 10:46
  • 1
    The key to helping with DDOS is to do less per request not more. – coteyr Dec 16 '19 at 10:47
  • In other words, your countermeasure should slow down the client, shrinking the capacity of the client to do new requests. There're some approaches through which the server purpose a challenge to the client, solving the challenge takes a certain amount of resources and time to the later. – Laiv Dec 16 '19 at 10:51
  • How you prevent the service that checks the key from being DDOS'ed, and thus blocking access to the rest of your services anyway? You're just pushing the bottleneck to somewhere else. – T. Sar Dec 16 '19 at 11:41

1 Answers1

4

The problem with DOS or DDOS is that they are legitimate requests. Your flow may help but it will not solve the problem. Imagine 4 million requests doing step one all at the exact same time. DDOS.

There is no way to "prevent" a DDOS attack because it is a valid request. You're best bet is to simply throttle connection attempts in a way that no human would be likely to trigger. Say 10 requests a second per IP. Then add additional filtering for very broad ranges, for example, if most of your customers are in the US, filter all other countries' IP addresses to a collective 20 connections a second.

Finally, review the status of connections when there is a problem and blackhole known bad behavior IP address ranges.

Still, even that can't totally prevent DDOS attacks. It can greatly reduce them though and that will make you a far less attractive target.

plr108
  • 111
  • 4
coteyr
  • 2,420
  • 1
  • 12
  • 14
  • My concern against throttling the requests with IP address is because an entity like a school using a single router would have one public IP Address, so there is a very high possibility of multiple requests from one IP address. – McKabue Dec 16 '19 at 11:38
  • 2
    Then forget throttling request by IP and just set a white list or a firewall rule so that only a given IP or a range of IPs can hit the service. Or set customizable throttling policies by IP or range of IPs. Whatever is out of the policies or the white list is ignored, rejected or redirected to shrink hole. Whatever you do, implement it OUT of the service because it's an infrastructure concern to be solved at the infrastructure level. – Laiv Dec 16 '19 at 11:55