Chapter 32. Defending Against DoS

DoS attacks usually involve the use of system resources, which can make detecting them a bit difficult without robust server logging. It can be difficult to detect a DoS attack that occurred in the past if it came through legitimate channels (such as an API endpoint).

As such, a first measure against DoS-style attacks should be building up a comprehensive enough logging system in your server that all requests are logged alongside their time to respond. You should also manually log the performance of any type of async “job"-style functions, such as a backup that is called through your API but runs in the background and does not generate a response once it completes. Doing this will allow you to find any attempts (accidental or malicious) at exploiting a DoS vulnerability (server side) that would have otherwise been difficult and time-consuming.

As discussed in Chapter 14, DoS attacks are structured with one or more of the following results in mind:

• Exhaust server resources

• Exhaust client resources

• Request unavailable resources

• Deny access to resources

The first two are easier to exploit without direct knowledge of the server or client ecosystem. We need to consider all four of these potential threats when building a plan for mitigating DoS threats.

Protecting Against Regex DoS

Regex DoS attacks might be the easiest form of DoS to defend against, but they require prior knowledge of how the attacks are structured (as shown in “Regex DoS” ...