Mitigating HTTP Denial-of-Service Attacks on Self-Hosted Web Applications

Sammanfattning: Denial-of-service (DoS) attacks are a common threat to any resource on the internet, making knowledge regarding how to prevent them increasingly valuable. In this paper we have investigated different HTTP DoS attacks, how they affect web servers, and what steps one might take to protect a self-hosted web application from such attacks. In our testing, the web application was hosted on a Raspberry Pi, a common vehicle for self-hosting. Our research indicates that NGINX is the preferred web server software for this purpose, but results of our testing also showed that additional steps needed to be taken for proper protection. Configuring the server to close unusually slow connections, as well as limiting the rate of requests to the application, proved to be fairly effective countermeasures. Combining these efforts with intrusion prevention software like Fail2ban was shown to give sufficient protection against non-distributed HTTP DoS attacks. Limitations and drawbacks of these mitigation tactics were discussed, as well as other ways to protect against distributed (DDoS) attacks, with third party services such as Cloudflare being explored.