0

Lots of example told me to defense with 5 or 4 request per second.

Because usually a visitor clicking about in 1 or 2 links in one second, I think defense with 2 request per second is just fine. But I'm scared of any unknown drawbacks

So, I need a suggestion because I never heard about defense with 2req/sec

Thanks

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148

3 Answers3

2

If you have a page, with CSS, a few images, a favicon and perhaps a .js or two, when the browser requests the page, it now needs to fetch all of the rest of the files. Depending on whether keepalives are supported by either side, pipelining, etc, I would think that you could easily see 5+ requests per second from a connection that was legitimate.

Unless whatever product you're using is limiting only fetches for .html, I would think that 5 would be too low. You would want to find out what they are limiting and your general page construction to figure out what could reasonably be assumed to be requested in a second.

There is a balance between security and usability. Too much of one negatively impacts the other.

  • You can also get lots of requests/s if your users do things like open 8 tabs at once because they regulary check several pages from your domain. – korkman Apr 10 '10 at 16:21
2

Limiting your site to N HTTP requests per second doesn't seem likely to be effective against a DoS attack -- If you're throttling on your web server it's still doing work, if the attack is distributed it's getting around any per-client restriction anyway, and it will royally piss off your users (unless you're doing something like the SO trilogy does & offloading a lot of your content to an unprotected servicer domain, see sstatic.net).

In my book this comes down to 2 questions:

  1. Are you being DoS'd? Are you likely to be DoS'd in the future?
    If you are, you want to try to block these attacks at the network level (preferably at your upstream provider) before they start hitting your infrastructure. If you aren't, stop worrying about it.

  2. Are you being Slashdotted?
    If you are, that's a probably a good thing. Do what every other small-site admin (and even big site admins) would do: Crank up the MaxClients setting on your web server and either throw up a plain flat 1990s HTML page with the appropriate content, or bite the pillow and wait for it to be over :)
voretaq7
  • 79,879
  • 17
  • 130
  • 214
0

Plain DoS from a single IP is hard to distinguish from legit browser activity, especially at times when AJAX refreshing page parts, multiple tabs and lots of image files come into play. Also be prepared to run into false-positives should you make your sessions non-blocking.

I used to limit to 5 requests/s, but reverted from this. Distributed DoS will be undetected anyway, and is easily accomplished even without bot nets. I have received DDoS by a warez site which simply put an img-src=mypage into their footer (yeah it was a personal thing). So if anyone wants to kill your page by criminal means, they can easily do so. There's few you can do about it except scaling to a size where DDoS is eaten for breakfast by your network.

korkman
  • 1,657
  • 2
  • 13
  • 26