Welcome!

You will be redirected in 30 seconds or close now.

ColdFusion Authors: Yakov Fain, Jeremy Geelan, Maureen O'Gara, Nancy Y. Nee, Tad Anderson

Related Topics: ColdFusion

ColdFusion: Article

Defeating DoS Attacks

Defeating DoS Attacks

A denial-of-service (DoS) attack is an attempt by a single person or a group of people to disrupt an online service. It is designed to bring the server and network to its knees by flooding it with useless traffic. A DoS attack is the most common type of Internet attack and can be launched against your site at any time with relative ease. This can affect you by eating up your bandwidth and server resources to service these bogus requests while leaving no resources to fill legitimate requests.

So how do you know if you're being attacked? There are many variations of DoS attacks, and some are more difficult to catch than others. Some programs, such as the Apache Web server, have rearchitected their software to protect against this sort of attack. The method described here will allow you to catch and automatically defeat DoS attacks against your applications, regardless of the Web server used.

All you'll need to add to your database is a single table to keep track of active sessions (see Listing 1). You can decide whether to implement this on an application level or across the entire server, and decide which database makes sense for doing this tracking. Although there is a slight performance hit to enable this feature, you'll gain other relevant information on current site usage such as how many users are online, what page they're currently viewing, and how many total pages they've retrieved during the session.

Some may feel that we're creating a set of data for tracking sessions in a database that could just as well be created using ColdFusion's client variables. We'll discuss that alternative briefly in the conclusion.

We only need to make a couple of changes to our application to enable our DoS checking. First, in your application.cfm, we'll add code to check if a session already exists in our database. If it does, we'll update the lasthit timestamp as well as the last page and total pages viewed; otherwise we'll add a new record for this session (see Listing 2). We use a combination of CFID and CFTOKEN instead of URLTOKEN to keep things compatible with earlier versions of ColdFusion.

Now we have all of the current sessions for our site within a database. We'll take advantage of ColdFusion's built-in session management to help us detect attacks. Normally, ColdFusion will generate a new CFID and CFTOKEN for each individual browser that it encounters. Since many DoS attacks use an automated program and not a browser, ColdFusion ends up generating a new CFID and CFTOKEN for each request. Now we need a way to check for this.

We set up a scheduled script to run every 5 minutes and monitor our session table (you can modify the interval if necessary). Our check script (see Listing 3) first deletes any sessions from our database that are older than our specified session length (as defined in a CFAPPLICATION tag, which though not shown here, is 60 minutes in this case). We then count how many distinct URLTOKENs we have for each IP address. You should note that it is perfectly valid to have multiple sessions for a single IP if your users are sharing an Internet connection or going through a proxy server. Therefore, we'll set our threshold high enough (50) so that regular usage of the site will not be affected. You can modify this threshold as you see fit to make the check more or less sensitive. Finally, we create a list of any offending IP addresses and save this to an application variable.

You may wonder about locking the last line, assigning the application.DoS variable. While in CF5 it's always best to lock any reference to persisted variables, and in CFMX it's wise to do so to avoid "race conditions" when multiple users or sessions run code at the same time. In this case, however, this is a task that will be run only by the CF scheduler and then only once at a time.

The last thing you'll need to do in order to protect your site is to add some code at the top of your application.cfm to stop offending requests dead in their tracks (see Listing 4). Although we can't ignore these requests completely (as they've already made it through to our application), we can halt them right away so that we do not waste processing power or bandwidth.

We mentioned earlier that this process of tracking and analyzing sessions, while it has value beyond just this task, is partly already done for us if we enable CLIENTMANAGEMENT="yes" in our CFAPPLICATION tag. ColdFusion will then automatically write to a repository a set of fixed client variables similar to those we've set up (CFID, CFTOKEN, HitCount, LastVisit, TimeCreated, and URLToken). It will then update these values for each client that visits your application.

There are a couple of problems with using this data. First, CF doesn't automatically write the IP address for the visitor. You could easily add that one value by adding to your application.cfm the single line:

<CFSET client.ipaddress=cgi.remote_addr>

But even then, in order to process the data, you need to manage it in the location and format in which CF creates it. It writes these data either to a database or the registry, depending on the setting of the associated CLIENTSTORAGE attri-bute. If CLIENTSTORAGE="registry", or if it's not specified at all, CF will write these variables to the registry. CLIENTSTORAGE can also point to a database.

The problem is that the database approach creates tables (Cdata and CGLobal) and columns that are not easily parsed for our purposes. And while we could write CFREGISTRY tags to extract the data from the registry, it is challenging to then convert that to query-like data to be analyzed as we have. (If you want to explore it, the client data is written to the registry in HKEY_LOCAL_MACHINE\SOFTWARE\ Macromedia\ColdFusion\CurrentVersion\Clients).

DoS attacks are on the rise and growing exponentially each year. You need to protect yourself, or at least be aware of the damage that a DoS attack can do. If you have a Web page with 200K of graphics and data, calling that six or seven times a second will consume a full T1 of bandwidth. Hopefully most of you will only need this tag to keep track of users currently on your site, but for those having attack problems, this method will provide a self-correcting way to insulate your site from trouble.

More Stories By Joe Danziger

Joe Danziger is a senior web applications developer with Multimax, Inc., a provider of Enterprise IT Services and Solutions supporting the critical missions of the Air Force, Army, Navy, and other Department of Defense components. He is certified as an Advanced Macromedia ColdFusion MX Developer, and also maintains the Building Blocks site (www.ajaxcf.com) dedicated to AJAX and ColdFusion, as well as DJ Central (www.djcentral.com), a Website serving DJs and the electronic dance music industry.

Comments (2) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Tim Trombley 07/16/03 03:56:00 PM EDT

I think there is an error in the code used for the DoS security article. When checking for excessive hits, the query uses the urltoken column from the database. This column will only exist once for each session. The pages column is what gets incremented for multiple page views. Please correct me if I am wrong...

Joe Danziger 07/17/03 03:20:00 AM EDT

The code should be correct, actually. The pages column is more of an informational field and doesn't really do the DoS checking. We are checking how many urltokens exist for a specific IP address because a DoS attack will often generate multiple urltokens for one IP. If it was not a DoS attack we should not get excessive urltokens for that IP from normal browsing activity. So we count unique urltokens to make sure that IP is not suspect.

@ThingsExpo Stories
DX World EXPO, LLC, a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of the 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to gre...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develop...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.