Hi do you know if captcha can solve a ddos attack. Will the ddos attack still be able to send large packets of data if we require a captcha before entrance to our site?
Denial of service attacks will not be stopped by a captcha. The attacker could flood the OS with ping request, or mysql with request, or the webserver with request,,,,,,, until all of the servers memory is consumed and the server crashes. captcha works on a software layer, such as a webpage. DDOS can attack the server on the network layer before it ever gets to the software layer. Network layers: Physical Layer Data Link Layer Network Layer <-- DDOS attacks can work here, they can overwhelm the network with request Transport Layer Session Layer <-- or try to establish a session with the server Presentation Layer Application Layer <-- captcha works somewhere in here, because its part of the website software, this is what you actually see.
hi how about disabling recursive dns queries on my server. will that stop my server from receiving huge data packets from the attacker?
You should definitely stop that unless you are intentionally wanting to provide a free DNS service for anyone who wants to use your servers. DNS doesn't consume a lot of network resources and the service itself shouldn't be causing that problem. If you are suffering from a DDOS attack there's not much you can do personally. You will need to get your host involved to start with, and if it is serious enough they will call in the support team from their transit providers as these are the only people who can really deal with a serious problem. These people will be expensive and it may be easier for the host to block access to your server than to pay the mega-bucks that it would cost for higher-level support - a cost that they would likely pass onto you.
Captcha can only stop those ddos which are caused because ur site is using lots of mysql queries coz of which the server is lagging and the ddoser is using that..using programming language u can verify if the person is human and then procees the queries
A DDOS attack comes from thousands of computers flooding your server and network with request - and not from a single attacker. If you want something to help stop DDOS, take a look at DDOS Deflate - http://deflate.medialayer.com/ when a single IP address makes to many request to your server, the IP is added to a deny list for a certain amount of time. But that will not stop total network traffic.
Captcha can't defend from DDoS but it can be make final decision before completely blocking a user. Here is how I would build defence system: 1) First layer is activity detection system, which logs too frequest access to your site/service. It redirects suspicious users to the second layer. 2) Second layer is lightweight captcha service, which should serve millions captchas per day without problems. Bots attacking captcha server are harmless unless they fill up your uplink. 3) Third layer are firewalls in your servers and in your provider's infrastructure, which block IP addresses of users that didn't pass captcha. When you have such configuration in place and have enough uplink bandwidth, you can forget about DDoS and sleep safe.
hmm that sounds good. With DDOS coming at 4GB/s, most of the protection of ddos through bandwith certainly won't be enough. How do I complete the 1st layer? Do I have to install any special software on my server?
Stopping DDOS attack is costly, and it will not simply stop by using captcha. However, you may want to install a litespeed webserver. Though it will not prevent DDOS fully, litespeed webserver reduces the chance of your site getting crash. To stop a DDOS fully, you are looking at a 4 figure sum minimum, depending on the size of the attack.
Ofcourse you will need special software. I think this is the hardest part in this scheme. That software should be adapted to behaviours on your site/service, which means you must research "normal" activity patterns and thresholds, and set up your software to react on unusual patterns and over the threshold values. This is detection on software layer. You can also have such detection on L4 layer (analyzing who is making too frequent and not-natural TCP connections). Most anti-DDoS hardware (such as Cisco Guard) have such detection.