My website has been experiencing a denial of service/hack attack for the last week. The attack is hitting our web API with randomly generated invalid API keys in a loop.


I'm not sure if they are trying to guess a key (mathematically impossible as 64bit keys) or trying to DOS attack the server. The attack is distributed, so I cannot ban all of the IP address, as it occurs from hundreds of clients.


My guess is that it is an Android app by the IPs, so someone has some malware in an Android app, and use all the installs to attack my server.

Server is Tomcat/Java, currently the web API just responds 400 to invalid keys, and caches IPs that have made several invalid key attempts, but still needs to do some processing for each bad request.


Any suggestions how to stop the attack? Is there any way to identify the Android app making the request from the HTTP header?




There is a vast array of tools and strategies available to help you do this, and which to use depends entirely on your server implementation and requirements.


Without using a firewall, IDS, or other network-control tools, you can't really stop a DDOS from, well, denying service to your application. You can, however, modify your application to make a brute-force attack significantly more difficult.


The standard way to do this is by implementing a lockout or a progressive delay. A lockout prevents an IP from making a login request for X minutes if they fail to log in N times. A progressive delay adds a longer and longer delay to processing each bad login request.

If you're using Tomcat's authentication system (i.e. you have a <login-constraint> element in your webapp configuration), you should use the Tomcat LockoutRealm, which lets you easily put IP addresses on a lockout once they make a number of bad requests.


If you are not using Tomcat's authentication system, then you would have to post more information about what you are using to get more specific information.

Finally, you could simply increase the length of your API keys. 64 bits seems like an insurmountably huge keyspace to search, but its underweight by modern standards. A number of factors could contribute to making it far less secure than you expect:

在僵尸网络(或其他大型网络)可以让每秒尝试数万,如果你没有保护的地方。 根据你如何生成你的钥匙和收集熵, 您的实际上的密钥空间可能会小很多。 当你的一些有效键的增加,需要密钥的数量 要试图找到一个有效的(至少在理论上)下降 急剧下降。 A botnet (or other large network) could make tens of thousands of attempts per second, if you have no protections in place. Depending on how you're generating your keys and gathering entropy, your de facto keyspace might be much smaller. As your number of valid keys increases, the number of keys that need to be attempted to find a valid one (at least in theory) drops sharply.


Upping the API key length to 128 (or 256, or 512) won't cost much, and you'll tremendously increase the search space (and thus, the difficulty) of any brute force attack.


To mitigate DDOS attacks, however, you need to do a bit more legwork. DDOS attacks are hard to defend against, and its especially hard if you don't control the network your server is on.


That being said, there are a few server-side things you can do:

在安装和配置一个web应用防火墙,如 mod_security的,拒绝违反传入的连接您定义的规则。 在建立一个IDS系统,如 Snort的,当DDOS攻击正在发生检测并采取先措施减轻它 查看 @马丁·穆勒的帖子另一个很好的选择,的的fail2ban 创建你自己的Tomcat ,所描述的此处,通过他们的用户代理(或其他任何标准)作为防御的最后一道防线。 Installing and configuring a web-application firewall, like mod_security, to reject incoming connections that violate rules that you define. Setting up an IDS system, like Snort, to detect when a DDOS attack is occurring and take the first steps to mitigate it See @Martin Muller's post for another excellent option, fail2ban Creating your own Tomcat Valve, as described here, to reject incoming requests by their User-Agents (or any other criterion) as a last line of defense.

In the end, however, there is only so much you can do to stop a DDOS attack for free. A server has only so much memory, so many CPU cycles, and so much network bandwidth; with enough incoming connections, even the most efficient firewall won't keep you from going down. You'll be better able to weather DDOS attacks if you invest in a higher-bandwidth internet connection and more servers, or if you deploy your application on Amazon Web Services, or if you bought one of many consumer and enterprise DDOS mitigation products (@SDude has some excellent recommendations in his post). None of those options are cheap, quick, or easy, but they're what's available.



