# Denial-of-Service Attacks

If an attacker can exhaust all possible resources on your server by making too many time-consuming HTTP requests, they can make your website unavailable to others. Swamping a server with requests to take it offline in this way is called a **denial-of-service** (DOS) attack.

Denial-of-service attacks are easy to launch (with enough computing power) and hard to defend against. Here are some things you can do to prepare yourself for a flood of unwanted HTTP requests.

## Install a Firewall

A firewall can block traffic from configurable set of IP addresses or IP ranges, allowing you to fend off simple denial-of-service attacks. Some vendors offer *distributed denial-of-service* (DDOS) protection, using smart heuristics to detect and block malicious traffic over a wide range of IP addresses.

## Don’t Make It Easy For An Attacker

If a malicious HTTP request can use a lot of computing resources an attacker will take advantage of this. Attackers will use flaws in your code logic to launch *logic-based* DOS attacks, or unsafe regular expressions to launch *regex-injection* DOS attacks. Here’s ways to avoid these pitfalls:

* Set a maximum content length on requests – particularly file uploads – so your server doesn’t get tied up dealing with large requests. In many frameworks you can set these sizes via configuration. This is how you set the maximum file size to 16 megabytes in the Flask web-server, for example:

from flask import Flaskapp = Flask(__name__)
app.config[‘MAX_CONTENT_LENGTH’] = 16 * 1000 * 1000

* Make sure any regular expressions you use are safe from regex injection attacks by avoiding repeating grouped patterns or characters.

* Don’t allow users to upload archive formats like zip files. These can be maliciously constructed to expand exponentially when unarchived.

## Build Your Site to Scale

You should ensure your website is responsive in the face of large traffic surges, whether it’s from an attacker or just hitting the front page of Reddit. Here are some things to focus on:

* Serve static content use a *Content Delivery Network* (CDN) that will take a lot of load off your web-servers.

* Using caching. Cache resources in the browser by setting the `Cache-Control` header on frequently accessed resources. Cache frequently accessed objects in-memory on the server.

* Push long-running tasks to job queues, and have dedicated worker processes handle these jobs outside the web-server.

* Deploy your web-server instances behind a load-balancer, and make it easy to add extra servers when traffic volumes surge.

* Make sure your database is well indexed, and data queries are optimized.

* Install monitoring software, so you can track the response times and number of requests a second.

## Alert Your Users About Downtime

Even large websites have downtime sometimes. If you support a large community of frequent visitors, you should build out a separate status page and have an alerting mechanism to tell users when the site is down. If your site implements an API, your API endpoints should return a meaningful error like code HTTP 429 when the server is overwhelmed.

## CWEs

* [CWE-400](https://cwe.mitre.org/data/definitions/400.html)

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.


See for yourself – run a scan on your code right now