Archive for January, 2011

Preventing Layer 7 DDoS Attacks on a Service

No Comments »


You might heard about Applicationā€level DDoS (Distributed Denial of Service) attacks on websites such as Twitter, Facebook and Wikileaks. Usually those kind of attacks involves a large number for HTTP/HTTPS requests to specific part of the website that could potentially eat up all the resource of  the server resulting unresponsive behavior from the web server.

There are already some tools available to shut down any website and make it unreachable for legitimate users.

Looking at the technique used to perform this attack, the tool sends about 10 Long HTTP/HTTPS requests per second until it reaches bandwidth or connection limits of the hosts or networking equipment to make it offline.

Now the question is how we can stop this attack? What are the preventive measures against the Layer7 DDoS?

First of all, we start limiting the traffic using hashlimit on iptables. This module can be used to allow just a certain number of packets per minute:


iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

where "–hashlimit-burst 20" is the burst limit, you can adjust as per your requirement.

Also using Apache you can add a module mod_reqtimeout. This directive can set various timeouts for receiving the request headers and the request body from the client.

Hope this helps…