Last post Mar 26, 2008 04:51 AM by Ahmadi_rad
Mar 22, 2008 11:57 AM|Ahmadi_rad|LINK
I'm developing a web application that needs to upload data to a sql server from client machins(direct login to server or use web services), and it's a rather long time that I concerned the matter of DOS attacks, but can't find a total solution for that.
The best thing I found was tracking IP address of end users(http://weblogs.asp.net/omarzabir/archive/2007/10/16/prevent-denial-of-service-dos-attacks-in-your-web-application.aspx),
but this can be easily overcome by spoofed IP addresses. now I think there is not so much that I can do for this matter, but rely on capabilities of host.
I wanted to ask you guys for a general overview. What shall we ask from hosting company? Is there even a thing that they can do to ask from them?
How large companies like credit card processing companies overcome this problem? Can we use the same methods?
Is it better to use services of such companies like hosting by Yahoo?
Are any web hosting companies well known to be reliable against such attacks?
Or any other points that you may find usefull.
Thanks a lot
Mar 25, 2008 08:26 PM|Bruce L|LINK
Most people would do take on a strategy of block everything other than the whitelisted IPs. I am not sure what your application's intentional use is and am not sure if this is applicable in your situation.
If your users base are all registered user with a known IP, I would blist everything and have them insert their IP into the whitelist.
Another strategy you can consider is to have restriction in time between each call. It is rather complicated, but doable. In your web service, you would track the user's last connection time and in every connection, you check if they are connecting too
Mar 26, 2008 04:51 AM|Ahmadi_rad|LINK
My attention to this matter may be too much paranoid!
In fact I'm blcoking time consuming operations for too frequent users. And I'm also checking IP address of incomming requests and block too frequent IPs. This may be more than enough for a small business which has registered users.
But my question were about IP snoofing and sending too frequent incorrect login requests to system. This may not happen to my site, but even if it happens, there doesn't seem to be a way for defending for me.
Anyhow, if it happens or not, I prefere to rely on hosting companies whom pay attention to this matter.