The tale of avoiding a time-based DDOS attack in Node.js

Rate this content
Bookmark
This video discusses the importance of protecting web applications from DDoS attacks, specifically focusing on the Slowloris attack. It explains how Node.js applications can be vulnerable and offers strategies for mitigation. Using reverse proxies like NGINX is recommended to handle HTTP server requests more effectively. Implementing proper timeout handling, such as enabling HTTP.server.timeout and HTTP.server.requestTimeout, is crucial for protection. The video highlights the significance of updating to Node.js version 18.0.0 or higher, which includes built-in protections against Slowloris attacks. The talk also emphasizes the importance of understanding your application's traffic patterns and maintaining server security by validating code regularly and using common sense. Nearform and Orama, companies mentioned in the talk, focus on professional services and text search industry innovation, respectively.

From Author:

Web applications are commonly vulnerable to several Distributed Denial of Service attacks, sometimes in unexpected ways. An example is the SlowLoris attack, an exploit that leads to service interruption by simply sending the data to the server as slowest as possible.  In this talk I will tell the tale of how it took almost 13 years for Node to be completely protected by SlowLoris attack. I will also show that sometimes prioritizing performance can lead to incorrect fixes that can result in a false sense of protection.

This talk has been presented at Node Congress 2023, check out the latest edition of this JavaScript Conference.

FAQ

Nearform is a professional services company that operates fully remotely. They are always looking for new talents and have more than 300 employees. They also have a significant presence on NPM with 1 billion monthly downloads.

Orama is a company co-founded by a staff Dx engineer at Nearform. Its goal is to reinvent the text search industry using JavaScript and staying open source. They aim to support searching everywhere JavaScript can run.

Web applications are crucial for various purposes such as telemedicine, online banking, national security, social networks, and messaging. These applications need to be available at all times, as downtime can severely impact users, especially those relying on them for essential communication.

A Distributed Denial of Service (DDoS) attack is a type of cyber attack where multiple compromised systems are used to flood a targeted network resource with traffic, making it unavailable to its intended users.

A Slowloris attack is a type of DDoS attack that uses minimal bandwidth to make a server unavailable. It works by opening multiple connections to a server and sending incomplete requests, keeping these connections open and exhausting the server's resources.

To protect against a Slowloris attack, you should implement proper timeout handling. This includes setting timeouts for idle sockets and request headers. Using reverse proxies or API gateways like NGINX in front of your Node.js application can also help mitigate such attacks.

Avoid overengineering solutions as it can harm performance. Also, never assume that a single layer of protection is sufficient; use multiple layers such as proper timeout handling and reverse proxies.

As of Node.js version 18.0.0, Node.js handles Slowloris attacks by periodically checking all sockets every 30 seconds and closing any that have expired. It maintains a list of connected sockets to make these checks effective.

Updating to Node.js version 18.0.0 or higher is recommended because it includes built-in protections against Slowloris attacks by default, such as periodic socket checks and safer timeout defaults.

Best practices for server security include always thinking about security first, validating your code regularly, and using common sense. Ensure proper timeout handling, use reverse proxies, and keep your software updated to the latest versions with security patches.

Paolo Insogna
Paolo Insogna
29 min
14 Apr, 2023

Comments

Sign in or register to post your comment.

Video Transcription

1. Introduction and Background

Short description:

Sometimes your worst enemy is just slowness. At the end of the talk, you will be amazed at what happened. I am a staff Dx engineer at Nearform and co-founder and principal architect at Orama. Nearform is a professional services company fully remote. We are 300 and counting, fully remote, and unfortunately you cannot escape from us on NPM. Without Orama, we plan to reinvent the text search industry using JavaScript and staying open source.

I promise I will change this title because it's definitely too long but let's put to a short catchy sentence. Sometimes your worst enemy is just slowness. You now don't believe me but at the end of the talk you actually will believe me and you will be amazed on how this happened.

First of all let me slightly reintroduce myself. For people that ask me where do I come from? The little tiny dot there in the centre of South Italy and I can tell you that the rest of Italy does not acknowledge our existence. My region is completely forgotten. Don't ask me why but as I was also said I am a staff Dx engineer at Nearform and co-founder and principal architect at Orama. What are these companies? Nearform is a professional services company fully remote. We are always looking for new talents so if you're interested come say hi to me after this talk. We are 300 and counting, fully remote, and unfortunately you cannot escape from us on NPM. We are 1 billion monthly downloads on our packages, 8% so unfortunately you cannot escape. Without Orama, we plan just to do one simple thing. Search everywhere, wherever you can run JavaScript. We are trying to reinvent the text search industry, just using JavaScript and staying open source. Once again, if you're interested, come say hi to me later, to me or my co-founder Michele and Angela, we are outside.

2. DDoS Attacks and the Zoloris

Short description:

Nowadays web applications are crucial, serving important functions like telemedicine, online banking, and national security, as well as more trivial purposes like social networks and messaging. However, even these seemingly trivial applications are vital for certain individuals, such as the elderly who rely on messaging apps to communicate. The constant threat of DDoS attacks looms over all applications, as attackers always outnumber those defending. DDoS attacks involve overwhelming a network resource with malicious requests, and the distributed variant, where malicious traffic comes from multiple sources, is particularly challenging to combat. While it was once believed that DDoS attacks required a significant amount of resources, a new threat called Zoloris proves otherwise.

Let's get to the meat. Nowadays we are using more and more web applications and they are very important for all our usage. They can range from very important topics like, I don't know telemedicine, online banking, national security, or whatever, to what might be taken as trivial topics like social networks, messaging and so forth.

I say it might be called trivial because if you think about accessibility and inclusion, for some kind of people like elderly and so forth, WhatsApp might be the only way to talk to their nephew. So if you have WhatsApp down, you cut them off from very important part of their communication. So all these applications simply can never go down. That's not going to happen.

Which brings to another problem that we are always all vulnerable. No matter how smart you think you are, no matter how many people work for security in your company, remember that there's going to be 10 more people outside trying to waste your time and mess with your application and to bring them down. Unfortunately, they always outnumbering you.

This brings to one category of attacks which is usually well known. Please raise your hand if you know about DDoS attacks. And raise your hand if you know DDoS attacks, the dead variant. Okay pretty much the same people. So in short. So denial of service attack is kind of attack where a network resource is maliciously made unavailable to the intended user. Now the application is not breached by the attacker but is overwhelmed by requests. There is the distributed version which is the DDoS attack which is what I'm gonna focus from now on. Which is a variant where malicious traffic comes from several resources across the web. Which is much harder to fight for the reason that we will see in a bit. Now up to a few years ago it was a common understanding that in order to drive a DDoS attack, the attacker must use a lot of resources from several sources across the globe. Now please raise your hand if you think that this is still true and in order to run a DDoS attack you have to use a lot of resources. Okay, okay, that's kind of true and not and I will show you in a bit why that's the case. Because first of all let me introduce you your real enemy for today. This is the most horrific animal I ever seen in IT. This guy. This guy is terrifying. When I will tell you why you will say okay, this is amazing. So this is the Zoloris and basically is a very, very, very, very small, small and slow animal. By definition, it moves very slow.

QnA