AQTRONiX WebKnight - Denial-of-Service (DoS)

Blocking a Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack can be quite a challenge. Depending on the type of attack, WebKnight might be able to help mitigate the effects of a DoS.

Limiting Requests

There are several ways WebKnight can detect a DoS and try to minimize the burden on the resources of your web server:

• Lots of requests coming from certain IP addresses. Use Connection Request Limit in the "Connection" section of the configuration. This will limit the number of requests a particular IP address can make in a certain time period.
• Attacks on a particular url. Blocks a huge number of requests to a particular url. Use "URL Requests Limit" in the section "URL Scanning" of the configuration.
• Attacks on a particular file extension. Blocks lots of requests for particular file extensions. This can be large files which require lots of bandwidth or extensions that require lots of CPU cycles. Use "Extension Requests Limit" in the section "Requested File" of the configuration.

Response Monitor

If the attack generates HTTP errors (like timeouts...), there are two more settings that might help in the Response Monitor section of the configuration.

• Detect multiple HTTP server errors and block the IP address.
• Detect multiple HTTP client errors and block the IP address.

Incident Response Handling

Whenever the requests are triggering alerts, WebKnight helps giving back the resources to the web server with the following settings in Incident Response Handling.

• Enable Response Drop Connection: use this to drop the TCP connection and give the socket back to IIS for legitimate requests.
• Disable Response Redirect: don't waste a response on the request.
• Disable Response Direct: don't waste a response on the request.
• Enable Response Block IP. This is will block (D)DoS attacks by automatically blacklisting all offending IP addresses.

What else

If the above is not helping. Here are some tips what you can do:

• Analyse the packets that are doing the DoS. There might be something in the requests that you are able to block without blocking legitimate requests. You can use the Intercept function of WebKnight (Admin interface) to see the request/response generated from a certain IP address.
• Take some parts of the web site offline or even show a single page on your web site to inform the legitimate users of the attack and that you are working on a solution.
• If the attack is a DoS on your bandwidth, contact your ISP to block the requests upstream.

[top]