Denial-of-Service Attacks

# Denial-of-Service Attacks

If an attacker can exhaust all possible resources on your server by making too many time-consuming HTTP requests, they can make your website unavailable to others. Swamping a server with requests to take it offline in this way is called a **denial-of-service** (DOS) attack.

Denial-of-service attacks are easy to launch (with enough computing power) and hard to defend against. Here are some things you can do to prepare yourself for a flood of unwanted HTTP requests.

## Install a Firewall

A firewall can block traffic from configurable set of IP addresses or IP ranges, allowing you to fend off simple denial-of-service attacks. Some vendors offer *distributed denial-of-service* (DDOS) protection, using smart heuristics to detect and block malicious traffic over a wide range of IP addresses.

## Don’t Make It Easy For An Attacker

If a malicious HTTP request can use a lot of computing resources an attacker will take advantage of this. Attackers will use flaws in your code logic to launch *logic-based* DOS attacks, or unsafe regular expressions to launch *regex-injection* DOS attacks. Here’s ways to avoid these pitfalls:

* Set a maximum content length on requests – particularly file uploads – so your server doesn’t get tied up dealing with large requests. In many frameworks you can set these sizes via configuration. This is how you set the maximum file size to 16 megabytes in the Flask web-server, for example:

* Make sure any regular expressions you use are safe from regex injection attacks by avoiding repeating grouped patterns or characters.

* Don’t allow users to upload archive formats like zip files. These can be maliciously constructed to expand exponentially when unarchived.

## Build Your Site to Scale

You should ensure your website is responsive in the face of large traffic surges, whether it’s from an attacker or just hitting the front page of Reddit. Here are some things to focus on:

* Serve static content use a *Content Delivery Network* (CDN) that will take a lot of load off your web-servers.

* Using caching. Cache resources in the browser by setting the `Cache-Control` header on frequently accessed resources. Cache frequently accessed objects in-memory on the server.

* Push long-running tasks to job queues, and have dedicated worker processes handle these jobs outside the web-server.

* Deploy your web-server instances behind a load-balancer, and make it easy to add extra servers when traffic volumes surge.

* Make sure your database is well indexed, and data queries are optimized.

* Install monitoring software, so you can track the response times and number of requests a second.

## Alert Your Users About Downtime

Even large websites have downtime sometimes. If you support a large community of frequent visitors, you should build out a separate status page and have an alerting mechanism to tell users when the site is down. If your site implements an API, your API endpoints should return a meaningful error like code HTTP 429 when the server is overwhelmed.

## CWEs

* [CWE-400](https://cwe.mitre.org/data/definitions/400.html)