I was just trying to post something to a website via my localhost to retrieve some data, and suddenly, this idea came to my mind: What happens if I create a post, put it into a for loop that runs over 1 million times, and send requests to a specific url for a million time? I just did not want to try to avoid any harm, but I wonder. And if this could cause some harm, how can I avoid such an attack?
Asked
Active
Viewed 186 times
0
-
4Yeah, it's called a Denial of Service attack, and it will likely get you in serious trouble. – GalacticCowboy Jul 22 '11 at 23:23
-
hahah good for me that I didnt try then :) – Shaokan Jul 22 '11 at 23:26
3 Answers
2
this kind of things actually happen a lot. some are intentional and some are not. take for example: http://en.wikipedia.org/wiki/Slashdot_effect
other times, this is intentional, and its called a DoS (Denial Of Service). a lot of websites are taken down with these attacks, and not always involve an actual connection. it may suffice to saturate the listen backlog of the underlying os.
how to avoid it.. you cant, basically. you can make the best effort at it, but you will never be able to actually avoid it. after all, your website is there to be accessed, right?
marcelog
- 7,062
- 1
- 33
- 46
0
You could add a rule in your firewall to block a specific IP address if that were to happen. If it is a sophisticated denial of service, I'm sure the IP address is spoofed and will be random. But for normal web sites, you won't need to worry about this.
coder net
- 3,447
- 5
- 31
- 40
0
Well, the server will get progressively bogged down until it figures out how to handle all 1,000,000 of those requests. Odds are, unless you have legendary hardware, it will become unresponsive and next to useless, creating a great disruption to everyone wanting to access it. This is called a Denial Of Service attack, or a DOS.
There's a few things you can do to prevent this:
- Require users to verify that they are human before the server will process their request. This is usually done with Captchas.
- Use an intelligent firewall to drop the packets or figure out how to have the server ignore requests from IP addresses that have been sending too many.
- Make sure everybody loves your site so much that they wouldn't even think of doing anything to hurt it.
1 is probably most effective and simplest to do, and 3 is impossible. I can't offer a lot of advice about 2 due to lack of experience, and its probably fairly difficult and easy enough to exploit.
Short Story: Go with a Captcha. ;)
Gordon Gustafson
- 40,133
- 25
- 115
- 157
-
I don't understand how Captchas can prevent such a request. I mean, even if you use captcha, your server has to verify a million times that the captcha is valid right? – Shaokan Jul 22 '11 at 23:47
-
1@Shaokan yes, but verifying a captcha is basically a string comparison with a little encryption and has a much lower load on your server than an actual post, which requires database updates and other computationally intensive activities. Yes, it is always possible to fill out the captcha a million times and send those million requests, but the server will have to spend a lot less time processing each request. It's still not perfect, but it's definitely an improvement. :D – Gordon Gustafson Jul 23 '11 at 15:44
-