Tornado and DDoS Attacks
506 views
Skip to first unread message
aliane abdelouahab
Jun 21, 2012, 9:33:46 AM6/21/12
to Tornado Web Server
hi
i was searching for a solution about the DDoS, and it came in my mind
using captcha, but the problem is captcha is in the software layer,
and the attacks occurs in network layer
http://forums.digitalpoint.com/showthread.php?t=1622254&s=7fbdee01df5bc01efcc9b9a20c7bb22c&p=13191216#post13191216
and because tornado is asynchronous/non-blocking, so how to prevent
the DDoS attacks?
i was searching for a solution about the DDoS, and it came in my mind
using captcha, but the problem is captcha is in the software layer,
and the attacks occurs in network layer
http://forums.digitalpoint.com/showthread.php?t=1622254&s=7fbdee01df5bc01efcc9b9a20c7bb22c&p=13191216#post13191216
and because tornado is asynchronous/non-blocking, so how to prevent
the DDoS attacks?
Andrew Grigorev
Jun 21, 2012, 10:03:53 AM6/21/12
to python-...@googlegroups.com
To prevent the DDoS attacks you need to kill that bastards, who doing
the DDoS. To stand against DDoS you need to write a fast and scalable
web-applications. Tuning the server to resist the
network/session/http-layer attacks is only a part of success. It does
nothing if your application would produce 100% CPU load on 10 RPS.
Though tornado is a pretty good HTTP server due its async nature, it is
not a good idea to put it on the front. Since it is recommended to put
it behind the other web-server (nginx/lighttpd/cherokee), there are no
tornado-specific requirements to protect against network layer attacks.
21.06.2012 17:33, aliane abdelouahab пишет:
--
Andrew
the DDoS. To stand against DDoS you need to write a fast and scalable
web-applications. Tuning the server to resist the
network/session/http-layer attacks is only a part of success. It does
nothing if your application would produce 100% CPU load on 10 RPS.
Though tornado is a pretty good HTTP server due its async nature, it is
not a good idea to put it on the front. Since it is recommended to put
it behind the other web-server (nginx/lighttpd/cherokee), there are no
tornado-specific requirements to protect against network layer attacks.
21.06.2012 17:33, aliane abdelouahab пишет:
Andrew
Andrew Grigorev
Jun 21, 2012, 10:25:21 AM6/21/12
to python-...@googlegroups.com
btw. Captcha is to protect against spam bots. Not DDoS.
21.06.2012 17:33, aliane abdelouahab пишет:
--
Andrew
21.06.2012 17:33, aliane abdelouahab пишет:
Andrew
Srini Kommoori
Jun 21, 2012, 2:54:21 PM6/21/12
to python-...@googlegroups.com
As suggested, I would use nginx/haproxy before tornado(or any app server).
I have been using https://www.cloudflare.com/overview so far and really happy with it. I don't know whether it saved me from DDoS though.
Russ Weeks
Jun 21, 2012, 2:59:06 PM6/21/12
to python-...@googlegroups.com
On a side-note: in a configuration like the one recommended, with nginx front-ending tornado, is there any security benefit to running tornado in HTTPS? Assuming that the nginx and tornado processes are colocated, of course.
Thanks,
-Russ
Didip Kerabat
Jun 21, 2012, 3:39:15 PM6/21/12
to python-...@googlegroups.com
The best way to block network related attack is to use firewall.
Some attacks aren't just targeting HTTP, it can attack ICMP or SYN as well.
http://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/
http://www.cyberciti.biz/faq/block-entier-country-using-iptables/
- Didip -
Some attacks aren't just targeting HTTP, it can attack ICMP or SYN as well.
http://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/
http://www.cyberciti.biz/faq/block-entier-country-using-iptables/
- Didip -
Alek Storm
Jun 21, 2012, 4:54:39 PM6/21/12
to python-...@googlegroups.com
On Thu, Jun 21, 2012 at 1:59 PM, Russ Weeks <rwe...@newbrightidea.com> wrote:
On a side-note: in a configuration like the one recommended, with nginx front-ending tornado, is there any security benefit to running tornado in HTTPS? Assuming that the nginx and tornado processes are colocated, of course.
No. Nginx would be decrypting data from the downstream TLS session, then packaging it into a new TLS session it's established with the Tornado machine. The nginx machine could prove its own identity, but not that it is, in fact, talking to the downstream endpoint it claims it is (through a client cert). You'd take a performance hit for no additional security.
OTOH, if you were using nginx just as a TCP-level load balancer (and not to serve static content), then it could just proxy the TLS packets to Tornado, but I don't think that's what you meant.
Alek
aliane abdelouahab
Jun 22, 2012, 3:40:45 PM6/22/12
to Tornado Web Server
thank you for replies and sorry for being late.
so from what i understand, the best way to defend from DDoS is to use
a third party solution, or try to tell to all internet users to use a
good antivirus to avoid a trojan who will execute the DDoS!
Nginx is a good a idea and it will be there, so Ngnix will play as a
load balancer, a static files server, and a DDoS protector!
so, using only Tornado is not a good idea!
thank you again :)
so from what i understand, the best way to defend from DDoS is to use
a third party solution, or try to tell to all internet users to use a
good antivirus to avoid a trojan who will execute the DDoS!
Nginx is a good a idea and it will be there, so Ngnix will play as a
load balancer, a static files server, and a DDoS protector!
so, using only Tornado is not a good idea!
thank you again :)
aliane abdelouahab
Jun 22, 2012, 3:43:42 PM6/22/12
to Tornado Web Server
CloudFare is a third party solution, but DDoS Deflate http://deflate.medialayer.com/
seems to be a good idea, it's only a simple monitor to Netstat, so
it's the admin who will control every thing, and that will be a good
idea?
seems to be a good idea, it's only a simple monitor to Netstat, so
it's the admin who will control every thing, and that will be a good
idea?
Reply all
Reply to author
Forward
0 new messages