From Documentation

Jump to: navigation, search








Contents

Overview

From OWASP

The Denial of Service (DoS) attack is focused on making unavailable a resource (site, application, server) for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may stop providing service to legitimate users. Denial-of-service attacks significantly degrade service quality experienced by legitimate users. It introduces large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

While OWSAP recommends[1] a few techniques developers can employ against DoS at application level, ZK as a framework provides two features to protect against DoS as described below

Notes

  1. https://www.owasp.org/index.php/Denial_of_Service

Limit how many resources can be consumed

As explained above DoS attacks causes server to overload and stop responding by requesting large number of resources, it is logical to set a limit on how many resources are allowed per session to prevent server overload. Below are two configurations in ZK that you can use to set such limits.

Limit number of desktops per session

You can configure max-desktops-per-session in zk.xml as shown below. It indicates maximum number of desktops per session that are allowed. A desktop represents a HTML page for a browser. In other words, this number controls the number of concurrent browser windows allowed per session.

<session-config>          
     <max-desktops-per-session>a_number</max-desktops-per-session>
</session-config>

Note : A negative number means no limitation at all.

Limit number of requests per session

You can configure number of requests per session in zk.xml as shown below. It indicates the maximum number of concurrent requests per session that are allowed. Each time a user types an URL at the browser, it creates a request and the request ends after the response is sent to the browser. In other words, this number controls how many concurrent requests the same user can send.

<session-config>
       <max-requests-per-session>a_number</max-requests -per-session>
</session-config>

Note : A negative number means no limitation at all, but it is not recommended due to the possibility of the denial-of-service (DoS) attacks

Prevent sending same request multiple times

If your application has a button starting a long running operation you could use button.setAutodisable() in Java or autodisable="self" in ZUL from preventing DoS by repeatedly causing the button onClick which might hold up precious server resources. For more details on Button autodisable refer here

In addition to this, each and every ZK ajax request carries a additional http header called ZK-SID. The purpose of this ZK-SID header is to differentiate between multiple Ajax requests. If a same ajax request is resent with the same ZK-SID then it is ignored. This ZK-SID header helps to reduce server load and hence DoS attack by sending too many similar/repeated requests

Version History

Last Update : 2013/10/1


Version Date Content
     



Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.



You got stuck here?
Let us know how we can improve this page
For specific questions please use the forum