1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

HTTP DDoS Mitigation

Discussion in 'Site & Server Administration' started by raffo77, May 29, 2014.


what kind (not too invasive) of "human verification" is best?

  1. Cookie

    0 vote(s)
  2. Cookie+Javascript

  3. Cookie+javascript+flash-captcha

    0 vote(s)
  4. Google reCaptcha

    0 vote(s)
  5. Nothing, the server must able to handle all http request, maybe under cache.

    0 vote(s)
  1. #1

    I have configured my web server to process only the http requests made by a real human that use last browser on a modern OS.

    whitout any recaptcha.

    - With encrypted cookie generated by client browser with javascript that use AES algoritm.

    So, on the first connection we have:
    - client send http request to web server
    - server send html code with javascript
    - client generate the key and will use on cookie
    - server send the result of http request and for all others request don't need to generate new key, just use the current cookie.

    If another http request will made from the same IP, with a browser that don't accept cookies or javascripts, the request will be redirect on a web page html that explain why the client dosn't see the web site.

    My question: Is a good mitigation method? the spiders like google msn and yahoo i just put on whitelist but is maybe danger for a website to serve http request to only browser that support javascript and cookies? may can downgrade the SERP of google?

    Google pagespeed give us 97/100 for us code.. and they see correct our site.

    but other site speed tools dosn't support javascript cookie (like tools.pingdom.com), they support just cookie without javascript, and more other dosn't support the cookie validation.
    So, we can block much type of botnet and don't annoy the real user with captcha.
    But if attacker make http request how browsers do.. can bypass this mitigation. but i never see botnet capable to handle cookie+javascript..
    raffo77, May 29, 2014 IP
  2. raffo77

    raffo77 Active Member

    Likes Received:
    Best Answers:
    Trophy Points:
    I'm looking for some tester..
    raffo77, Jun 1, 2014 IP
  3. infinitnet

    infinitnet Member

    Likes Received:
    Best Answers:
    Trophy Points:
    There are actually lots of advanced layer 7 botnets that can emulate cookies and JavaScript and I've even seen botnets that support flash and can solve reCAPTCHA, although that's quite uncommon. Your method should be fine for simple HTTP floods, but some can only be blocked by blocking its request patterns, proper rate limiting per source IP, or, which would be the best solution, a real DDoS mitigation hardware such as RioRey, that automatically analyzes the attack and mitigates it.
    infinitnet, Jun 3, 2014 IP