5 Simple Tips to Help Prevent Against DDOS Attacks
What is a DDOS Attack and how can you prevent it from happening to your website or web app?
What is DDOS Attack?
DDOS (Distributed denial of service) is an extension to DOS(Denial of service) where an attacker tries to slow down or even crash the server to stop the services the victim provides. An attacker will set up one machine that continuously makes requests to the host to achieve the point is called DOS and when the number of devices or systems is more than just one then its called a DDOS attack
Example
Let's take a very basic example of DDOS and how can you replicate it. Let's say you have an endpoint called /api
which process in about 10ms and has a memory return of 500kb. It seems to be a very basic API. Let's check this APIs stack
- Request sent
- Middleware for verification
- Database process
- Response sent
This is a very common API and also assume there is no firewall rule written in for the server as well as for the API gateway
To DDOS this API, we can create a method that will call this API 100000 times which makes the server process about 50000MB of data and require around 1000seconds which intel create a blizzard effort for the server and can result in a crash
for( let i = 0; i < 100000; i++){
fetch('/api')
}
This is a typical example of DOS attack and Ideally request like this should never reach to the server at the first place and rejected on the firewall or any other middle handler itself
How can we prevent this?
There are a variety of options we can do that can be from rate limiting to applying security policies
1. Limit concurrent requests using a middleware
At the very start of the case not even let a request go to your controller if there are multiple requests within a certain span to a particularly same API. You can handle several requests or the total delay between each request
2. Parent catch block
Even if your server is heavy it should never crash and if it crashes then you are losing interest from your actual customer. The only way and probably the best way is to have a parent error handler that will not let any of your requests fail but there is also an edge case where your async request failed and they are not handled so make to put that as well
There are design patterns that can be followed for parents to try-catch blocks and generic error handling that can save you someday
3. Security linting
Lint is not just your space and indentation it can also detect your security Vulnerabilities as well. Do check eslint-plugin-security.
4. Verify and Limit your payload size
One more way your system can crash or gets holder if it has not valid payload. Suppose you have written an API that does not handle your payload and someone passed unwrapped data that can cause your application to go down and the same goes if someone sends too much data in one request
last but not least
5. Hide your error details from the client
Most of the attacks happen because the client knows what error and error stack is being propagated in the application and hiding them for your production environment would be the best solution
Conclusion
There are still many ways your application can be more secure and there are a couple of attacks that are still undiscovered but I do hope you have learned something good today. Read more details in the below article
I will hope you will follow good practice in your next project. Happy coding!
Build apps with reusable components like Lego
Bit’s open-source tool help 250,000+ devs to build apps with components.
Turn any UI, feature, or page into a reusable component — and share it across your applications. It’s easier to collaborate and build faster.
Split apps into components to make app development easier, and enjoy the best experience for the workflows you want: