Implement a lockout i.e. prevent an IP from making a login request for X minutes if they fail to log in N times. Tomcat has LockOutRealm configuration for the same
Implement progressive delay by adding a longer and longer delay to processing each bad login request.
Ensure that a user has a limit to the number of concurrent sessions (to prevent a hacked account logging on a million times)
Apply rate limits or use throttling mechanisms to prevent large numbers of requests
Have different database application users for different services (e.g. transactional use vs. reporting use) and use database resource management to prevent one type of web request from overwhelming all others.
Have a log format from which you can easily identify
The IP of the requesting server
The URI of the request
The URI failing the most
User using the service
IPs of the users
URIs called by anonymous users
Arguments passed to a service
Audit a specific user actions
Use CDNs to distribute static resources to different locations and IP addresses.
Install a firewall to reject incoming connections that violate rules that you define.
Update and patch all the resources at regular intervals
Run vulnerability scans quite oftenly
Harden applications e.g. adding captcha during login
Block unused ports on servers and firewalls
DNS port 53 should be blocked if organization is not using DNS server
P2P port 4662 and 4672 should be blocked
ICMP or ping should be blocked
Overprovision infrastructure by
Moving to some cloud based scalable solution.
Designing it to 200-500% of the baseline needs.
Applying load balancing to route the traffic.
Place resources behind the firewall
Use container level configurations to reject requests
Tomcat Valve to reject incoming requests by their User-Agents (or any other criterion) as a last line of defense.
In AWS Cloud, AWS Shield can help to prevent DDOS Attacks. This service is provided automatically to all AWS customers at no additional charge.
No comments:
Post a Comment