5

If I introduce a Thread.Sleep(x) delay while rendering my HTTP response, where x would change depending on the rate of requests from a given IP: from being zero while request rate is low, and gradually increasing if requests are following one after another.

Is this a viable solution to protect against a DDOS?

What are the weak points?

Andy
  • 2,670
  • 3
  • 30
  • 49
  • Does this really protect against a DDoS, or does it just reduce the number of connections needed to create a DDoS on your server? Also, isn't designing your server to respond more slowly during heavy traffic a sort of built-in weak point? – Caleb Jun 19 '11 at 06:28
  • The idea is to tweak the function that yields `x` depending on the request rates such that it would let regular requests go through easily, while excessive repetitiveness will introduce delays. So it should not be a weak point. The weak point, as others have mentioned, is the distributed nature of requests. – Andy Jun 19 '11 at 06:32
  • Well, yes, that's the point. Your server will, by design, slow down if anyone ever posts a link to one of its pages on Slashdot. That's not a real DDoS (or maybe it is), but you won't be able to tell the difference. – Caleb Jun 19 '11 at 06:35
  • @Andy: What will be your decision procedure to determine if a request is legitimate, or "excessively repetitive"? Why would you expect a DDoS-er to issue the same type of request each time? They're probably more clever than that. – Merlyn Morgan-Graham Jun 19 '11 at 06:50

5 Answers5

9

No, it doesn't protect against DDOS attacks. It protects the CPU from being overloaded, but it still occupies the thread while it's sleeping, so an attacker can easily occupy all of the assigned threads in the web server, rendering it unresponsive. It actually makes it easier to perform a DDOS attack.

A Sleep can be used to protect against brute fource attacks by reducing the number of tries that can be done per second. (The drawback is of course that it makes it more sensetive to DDOS attacks.)

Guffa
  • 687,336
  • 108
  • 737
  • 1,005
2

It definitely doesn't prevent a DDOS because networking equipment in front of your application may still be overwhelmed.

Additionally the distributed nature of a "distributed denial of service" means that you'll be getting excessive traffic from lots of different IPs, not one.

But regardless, what you're doing in your app doesn't get around whatever is in front your app from being overwhelmed.

Matthew Lund
  • 3,742
  • 8
  • 31
  • 41
2

A thread sleep is useful only to help guard against cryptography attacks. You can use them to guard against:

  • Attackers using execution time of different challenge strings to determine the logic in your implementation. If you ensure that all responses take the same time, then they can't use that information to determine how your algorithm works
  • Increasing execution time upon repeated failed password attempts to avoid a brute force attack

Besides these uses, a thread sleep doesn't have much application in security. They tie up resources (connections or session state), so are worthless for guarding against a DoS attack.

Merlyn Morgan-Graham
  • 58,163
  • 16
  • 128
  • 183
0

DDoS can't be protected by code, it is more then protecting your server, usually DDoS hurt your load balancer and firewall if you have some, if not the DDoS will hurt your server.

DDoS can be done via many levels: UPD/TCP/HTTP etc...

The best way to protect yourself from DDoS is to use reverse proxy so if you go to your site it wont show the real IP, and happily we have now for free with Cloud Flare. https://www.cloudflare.com/

I wrote a small article about how Cloud Flare protects you as i'm using them since a year now and they are the BEST so far and the cheapest.

http://www.yourwwwdesign.com/2012/07/23/best-practice-to-protect-your-site-from-ddos-for-free/

Hope this helps! if you need more help please don't hesitate to contact me.

Gabriel
  • 2,011
  • 14
  • 14
0

No. A DDoS is an attack that used a lot of compromised machines to attack a target. That will protect against smaller attacks like DoSes, but not distributed attacks. Usually, your web server will crash before that could make any sort of effect.

I would recommend a DDoS protection service or host if you're having a lot of problems with them.

iamandrus
  • 1,400
  • 2
  • 16
  • 25