Dealing with Denial of Service

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
greggles's picture

There's a Drupalcon munich proposal about DOS but I thought maybe we could discuss it here as well in advance (or in case it's not accepted).

What kinds of attacks are people saying? Drupal specific, generic?

What tools do you use to defend against the attacks? What seem most effective? Any tools that you use regardless of budget or even if the budget is small?

Comments

DOS and Drupal

plaverty's picture

In my limited understanding, Denial of Service and Drupal don't really go together. DOS isn't an application layer attack, it's lower in the stack and should be defended there. We've had DOS issues at my institution and some tried to blame Drupal for the many database connections and calls that it can make, even to serve a single page. However for a true DOS, the problem really should get caught and defended well before it gets to the Drupal server.

As for the defenses, there are many types of WAF, old and new, or even down to adding (non-Drupal) modules to your web server that can help to limit a DOS situation.

What I've said above is by no means comprehensive or what I would recommend for everyone, I'm just offering an opinion. I'm sure there are great products out there to help defend against a DOS attack, but I just don't think that it should really have much to do with Drupal.

I agree that it doesn't seem

davidhernandez's picture

I agree that it doesn't seem like there is a lot Drupal can do about DOS. It is too far down the line. This is something that generally needs to be detected and handled by the server or something at the network layer. Drupal can block IPs, but that won't stop the web server from getting inundated with requests.

Is there a proposal to create something Drupal-based that would integrate with the web server? Sounds iffy.

When I've had problems with this, malicious or not, it involved exhaustion of memory by either the web server or database server. Is there any way for Drupal to recognize this and do anything about it?

proindustries's picture

DOS usually happens nowadays at application layer, not network layer - that's why people use a WAF (web application firewall for those who may not recognize the phrase) not a layer 3 firewall.

Anyways - we do the common things - APC, mod_security, Varnish cache, mod_evasive...I'd love to say we've switched to nginx, but haven't invested the time for that yet. We tend to run IDS systems pretty aggressive - if somebody seems to be sniffing around, we'll throttle their access.

The one thing we try to do that I think is a little non-standard is be a little proactive - as we add/upgrade new customers and/or new applications/code, we keep an eye on how resources are used. An example of this was a release of imagecache one of my customers upgraded to. Monitoring systems noticed increased cpu/memory usage pretty quickly. It took us a little bit to figure out exactly what was the cause, but rolled back that upgrade in the end.

That does look like a fun talk - if I was headed to Munich I'd sit in. Will keep an eye out for a video.

What I'd like to play with...

proindustries's picture

...either php-ids or the relatively new Drupal tiny-ids module...haven't had a chance yet, tho.

John

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: