Dos Attack Prevention Code

What sort of unit are you programming. Prevention of a DoS attack is not particularly trivial and really the responsibility of the company firewall and routers rather than the actual servers.

The very nature of such an attack makes it hard to do anything about. It consists of opening a large number of connections to a server to prevent legitimate connections from being made. The question if you have 10 pending connections during a DoS attack and only one of them is legitimate how do you discern the legitimate one from the other 9?

Hi Banfa,
Indeed, DoS attack prevention would be much efficient if handled by firewalls and routers. However this does not devoid my attempt to do it server-side. One reason is : Are we sure if we deploy a custom server application and host it at some hosting provider, that this latter has mechanism in place to prevent DoS ?
I do'nt think so.

In term of solution, no it should not be so hard. To discern the legitemate one from the other 9, I can send a puzzle and expect the right solution in the incoming packet before accepting the connection at the application layer.
At the transport layer I can think of measuring the rate of incoming connection requests per incoming address : a DoS attack is most likely to come from one or handful places. Thus a local cache recording thing will do the job. Concerning the distributed attack, I am not concerned with since it is very rare case : for example the US gouvernment did it to shutdown Al Jazeera site on the occasion of a certain publication of a sensible matter.


I asked the question, because, from the one side I am trying to finalize a high-performant NIO framework in C++ and from the other side wondering if there other people who already analyzed/found DoS prevention code in open source appliaction servers like BlazeDS, etc..

Good day.