Logo
Info Security
News
Advisories
 
WebKnight
Features
Download
Support
SQL Injection
Robots
Hot Linking
DoS
Blocklists
Googlebot Verifier
Testimonials
 
Log Analysis
Features
Download
Manual
 
Databases
User Agents
Http Headers
 
Members
Login
 

AQTRONiX WebKnight - Denial-of-Service (DoS)

WebKnight Banner

Blocking a Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack can be quite a challenge. Depending on the type of attack, WebKnight might be able to help mitigate the effects of a DoS.

Limiting Requests

There are several ways WebKnight can detect a DoS and try to minimize the burden on the resources of your web server:

  • Lots of requests coming from certain IP addresses. Use Connection Request Limit in the "Connection" section of the configuration. This will limit the number of requests a particular IP address can make in a certain time period.
  • Attacks on a particular url. Blocks a huge number of requests to a particular url. Use "URL Requests Limit" in the section "URL Scanning" of the configuration.
  • Attacks on a particular file extension. Blocks lots of requests for particular file extensions. This can be large files which require lots of bandwidth or extensions that require lots of CPU cycles. Use "Extension Requests Limit" in the section "Requested File" of the configuration.
Response Monitor

If the attack generates HTTP errors (like timeouts...), there are two more settings that might help in the Response Monitor section of the configuration.

  • Detect multiple HTTP server errors and block the IP address.
  • Detect multiple HTTP client errors and block the IP address.
Incident Response Handling

Whenever the requests are triggering alerts, WebKnight helps giving back the resources to the web server with the following settings in Incident Response Handling.

  • Enable Response Drop Connection: use this to drop the TCP connection and give the socket back to IIS for legitimate requests.
  • Disable Response Redirect: don't waste a response on the request.
  • Disable Response Direct: don't waste a response on the request.
  • Enable Response Block IP. This is will block (D)DoS attacks by automatically blacklisting all offending IP addresses.
What else

If the above is not helping. Here are some tips what you can do:

  • Analyse the packets that are doing the DoS. There might be something in the requests that you are able to block without blocking legitimate requests. You can use the Intercept function of WebKnight (Admin interface) to see the request/response generated from a certain IP address.
  • Take some parts of the web site offline or even show a single page on your web site to inform the legitimate users of the attack and that you are working on a solution.
  • If the attack is a DoS on your bandwidth, contact your ISP to block the requests upstream.

Published: 4/07/2008Document Type: General
Last modified: 6/12/2016Target: General
Visibility: PublicLanguage: English

[top] Print Edit


Comments (use this form to send comments to the author of the page):
Text:
How much is 5
5
+ 7 ?
E-mail: (optional)