The verification code is not a panacea. In order to give users a better experience, the verification code is sometimes not used, but the verification code should also not be used too often, so a better solution is required.
The verification code was developed to identify people and machines, but there are other ways of identifying this.
Under normal circumstances, the server-side application can identify the client by the user agent in the HTTP header. This approach is not reliable for security because the user agent in the HTTP header can be tampered at the client end.
In addition to the human identification, some defenses can also be executed in the web server layer; it is protective, as request has not arrived in the back-end applications.
In the Apache configuration file, some parameters can alleviate the DDoS attack, such as decreasing Timeout and KeepAliveTimeout values and increasing MaxClients values. But note that the adjustment of these parameters may affect the normal application, such that we should be cautious in real cases. Some guidance is displayed in the official documentation on Apache.
The module interface that Apache provides helps in expanding Apache and in the design of defensive measures. There are already some open source modules protecting from all or part of the DDoS attack in the application layer:
# minimum request rate (bytes/sec at request reading):
# limits the connections for this virtual host:
# allows keep-alive support till the server reaches 600 connections:
# allows max 50 connections from a single ip address:
# disables connection restrictions for certain clients:
mod_qos* is powerful and has more configurations. Interested readers can get more information from the official website.
Apart from mod_qos, mod_evasive,† which is especially used for fighting against the DDoS attack in the application layer, has a similar effect. mod_qos still limits the access frequency of a single IP address, so it is more useful in the case where there is a single IP address or not many IP addresses. But if the attacker uses a proxy server or a puppet machine to attack, it is difficult to protect the site.
Yahoo provides a solution to this. Because the IP addresses launching the DDoS attacks in the application layer are real, in reality, the attacker’s IP addresses cannot possibly grow without limit. Assume that the attacker has 1,000 IP addresses to launch the attack; if 10,000 requests are launched, the average number of requests for the same page per IP address is up to 10 times. If attacks are ongoing, the requests for a single IP address will increase, but in any case, it is doing the polling within the scope of 1000 IP addresses.
Yahoo established a set of algorithms based on information such as IP addresses and cookies. By using this, it can calculate the client’s request frequency so as to intercept it. This system that Yahoo designed is also a module in the development of the web server, but there is a master server computing the request frequency for all the IP addresses in the overall framework and synchronizing to each web server.
Yahoo applied for a patent for this (Detecting system abuse*), so we can refer to the public information on this patent for more details.
United States Patent 7,533,414
Reed, et al. May 12, 2009
Detecting system abuse
A system continually monitors service requests and detects service abuses. First, a screening list is created to identify potential abuse events. A screening list includes event IDs and associated count values. A pointer cyclically selects entries in the table, advancing as events are received. An incoming event ID is compared with the event IDs in the table. If the incoming event ID matches an event ID in the screening list, the associated count is incremented. Otherwise, the count of a selected table entry is decremented. If the count value of the selected entry falls to zero, it is replaced with the incoming event. Event IDs can be based on properties of service users, such as user identifications, or of service request contents, such as a search term or message content. The screening list is analyzed to determine whether actual abuse is occurring.
This defense system that Yahoo designed is proven to be effective against the applicationlayer DDoS attack and other attacks involving the misuse of resources. But Yahoo did not provide this with open source, so some Internet companies with a strong R & D capability can develop a similar system based on the content of this patent.