- Forum
- General C++ Programming
- TCP/IP: Stop attacker without affecting
TCP/IP: Stop attacker without affecting others on same IP
If one person that's connected to my server, is running a multirequest script that reconnects and continues no matter what, how can I stop it without affecting the other people that are connected to my server from the same ip? Is that even possible?
Last edited on
Isn't the source ip the same for all of them? (Public ip?)
The port is different for each connection so that wont work either
The port is different for each connection so that wont work either
Last edited on
If src address cannot be used to differentiate, source port cannot be used to regognize same user, and requests have no identifier on higher level, then the "best" you can do is to limit the rate that connections are handled. That too affects all users (from that address).
How does this relate to C++?
How does this relate to C++?
Last edited on
You can't look at the transport or network layer, you need to look at the application layer. Is there anything in the data that would allow you to distinguish the attacker? For example, to stop or throttle a web scraper one might look at the client's user agent to distinguish bots from web browser.
If the traffic is indistinguishable at the application layer you'll have no choice but to block the IP.
If the traffic is indistinguishable at the application layer you'll have no choice but to block the IP.
Last edited on
| How does this relate to C++? |
It doesn't, dont be a Hitler. Non-regular rule breakers are refreshing. The important thing is that we make each other move forward.
| For example, to stop or throttle a web scraper one might look at the client's user agent to distinguish bots from web browser. |
A smart bot would just fake a user agent header.
Let's say it's distinguishable. At best, I can tell my ISP not to send me packages from the specific address (E.g. if something is missing in the headers or entire ip is banned).
In the worst case, everything has to be handled by my own machine/router. Attackers connect,(send), I close, attackers connect, (send), I close and this continues forever. I in fact never get control of the attack without the help of ISP. If it is blacklisted then ISP can prevent the request from reaching my server in first place. But without the assistance of ISP my machine/router can be kept under pressure for eternity, because the blacklist still needs to be handled when it arrives.
How much can ONE single machine/router take?
Basic Internet infrastructure will not block any traffic for any reason as long as it doesn't interfere with its systems. Their systems handle too much traffic to implement firewalls, let alone inspecting the application layer data. So, you can tell your ISP anything you want, but that doesn't mean they're obliged to do anything as a result.
If you don't want to accept traffic from that IP just block it at your firewall. It will still consume downstream bandwidth, but there's nothing you can do about that. At least your server won't use CPU time processing connections that will just be closed immediately.
If you set your firewall to block the packets it will reply to the source that the packet was rejected. If you set it to drop it won't send the notification and to the source it will be indistinguishable from the packet being lost in the network (e.g. because the IP doesn't exist). Blocking is what you do out of politeness when the source is friendly. Dropping is what you do with hostile traffic.
If you don't want to accept traffic from that IP just block it at your firewall. It will still consume downstream bandwidth, but there's nothing you can do about that. At least your server won't use CPU time processing connections that will just be closed immediately.
If you set your firewall to block the packets it will reply to the source that the packet was rejected. If you set it to drop it won't send the notification and to the source it will be indistinguishable from the packet being lost in the network (e.g. because the IP doesn't exist). Blocking is what you do out of politeness when the source is friendly. Dropping is what you do with hostile traffic.
Which firewall? The one on the server machine?... That affects the same CPU. Or do you mean router?
If router... Can it handle the constant load alone no matter how large? If not, when do I know it needs reinforcement? Where can I see an indication of that
If router... Can it handle the constant load alone no matter how large? If not, when do I know it needs reinforcement? Where can I see an indication of that
| Which firewall? The one on the server machine?... That affects the same CPU. Or do you mean router? |
| If router... Can it handle the constant load alone no matter how large? If not, when do I know it needs reinforcement? Where can I see an indication of that |
| How should I know? |
Anyway... This was helpful, I appreciate it
Last edited on
Topic archived. No new replies allowed.