4

Are there any inherent advantages or disadvantages when it comes to handling DDoS attacks on an application running a non-blocking framework like node.js?

As I understand it, these attacks overload the system resources with a ton of requests - causing it to fail. Non-blocking frameworks are able to handle many more concurrent requests than blocking ones. Shouldn't that mean that using non-blocking frameworks by nature help mitigate these types of attacks?

I realize there are other factors involved in mitigating these attacks, but with all other things equal, is this a correct assumption?

badunk
  • 4,310
  • 5
  • 27
  • 47

3 Answers3

3

A non-blocking service will generally make more system resources available to users than a blocking service. Until all system resources are used up by the attack a non-blocking service will perform better in that legitimate users can still fulfill requests while the attack is happening. That is, real users will not have to wait for the attackers bogus requests to complete before the system starts processing legitimate requests. But given the greater exposure to system resources a DDoS attack can be more effective on a non-blocking service.

Say for example the limiting factor is database access. A non-blocking service has a greater ability to make more DB requests than the blocking service. So while the non-blocking service may still accept legitimate user requests, they will have a harder time completing the database access because the attackers requests are better able to keep the DB under load.

So I'd say yes - non-blocking is better - but only if you can make sure that downstream resources are sized appropriately.

Rafael Baptista
  • 11,181
  • 5
  • 39
  • 59
2

A DDoS atack can target different services, such as ddns,web server, database ar can have different effects, like overloading the server it self, or the cpu, or fulling the ram, or trying to write to the disk many files so to fill it(more rare today) or just write more data that can write.

One very common use of DDoS that will explain your question, is targeting to create more concurent connections than the server can handle. A typical default value for a web server is 256 (or 512 in many systems) concurrent attempts to create a connection. In a linux system you can change the value manually here for example /proc/sys/net/ipv4/tcp_max_syn_backlog. So by making more than conenctions (sending packets with syn flag), it will cause a denial of service. So the framework you use have no meaning at first place.

Furthermore, non-blocking frameworks making more requests per second that blocking, something that will help in many cases that attacker. In some servers and/or configuration this will create one instance per request that will help more the attacker.

So your assumption is wrong.

Adam Fili
  • 463
  • 2
  • 9
  • I don't understand your 3rd paragraph, but in the right configuration, let's say 1024 concurrent attempts - now you may be hitting the framework's limit. In those cases, the attacker needs to pool more resources to hit this limit I believe, my assumption is, the more concurrent requests it can handle, the larger the scale of the attack that must occur. – badunk May 21 '12 at 11:28
  • The bigger the application capability limit is, the more resources will need. What i try to tell above, is that this is a matter of resource more than a framework concurrent request capability. If we take resources as infinite, then yes it's better. But in many cases in conference with slow sql queries for example, the better is better for the attacker. For conclusion, i would be better if we run it in a system with VERY big resource, and all other facts, design/setting is Good. Continue below.. – Adam Fili May 22 '12 at 10:15
  • BUT, for more cases we have to use other rules, at other layers, like the network,transport, application, to filter these requests or send them to another servers with the use of load balancers etc. Think it like this, in a small server you will install something like "lighttpd" or nginx because of the small resources, at a bigger one something like Apache, iis, lightspeed, etc. So, to conclude, we have to measure ALL the factor, create the whole design, by the standars of what we want to achieve(stability, High availability etc.). – Adam Fili May 22 '12 at 10:21
  • Thanks for your thoughtful comments. I mentioned in my question that I realize there are other perhaps more meaningful ways, but had wanted to consider just the framework with all else being equal. – badunk May 22 '12 at 17:36
1

Unfortunately nodejs will not help with DDoS, as it can be simply overloaded just as any other server and the fact is non-blocking doesnt change anything, in fact can kill server faster, because it will try to process more request without queuing them.

Andrew
  • 1,037
  • 9
  • 17