How to prevent DOS attacks in AEM ?

Prevent Denial of Service (DoS) Attacks : AEM 


A denial of service (DoS) attack is an attempt to make a computer resource unavailable to its intended users.

You can get more information on DDoS prevention in Apache

At the dispatcher level, there are two methods of configuring to prevent DoS attacks:

  • Use the mod_rewrite module (for example, Apache 2.4) to perform URL validations (if the URL pattern rules are not too complex).
  • Prevent the dispatcher from caching URLs with spurious extensions by using filtersFor example, change the caching rules to limit caching to the expected mime types, such as
.html
.jpeg
.gif
.swf
.js
.doc
.pdf
.ppt
.... as per your project requirement. 
    An example configuration file is given below,  for this includes restrictions for mime types.

        When configuring Dispatcher you should restrict external access as much as possible. The     following example provides example for the minimal access for external visitors, you can refer the default file. 

    /filter
          {
          # Deny everything first and then allow specific entries
          /0001 { /type "deny" /glob "*" }
    
           # Enable extensions in non-public content directories, 
           #using a regular expression
          /0041
            {
            /type "allow"
            /extension '(css|gif|ico|js|png|swf|jpe?g)'
            }
    
          # Enable features # enable personalization
          /0062 { /type "allow" /url "/libs/cq/personalization/*"  }  
    
          # Deny content grabbing, on all accessible pages, using regular expressions
          /0081
            {
            /type "deny"
            /selectors '((sys|doc)view|query|[0-9-]+)'
            /extension '(json|xml)'
            }
          # Deny content grabbing for /content and its subtree
          /0082
            {
            /type "deny"
            /path "/content/*"
            /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)'
            /extension '(json|xml|html)'
            }
    
    # allow one-level json requests
    #     /0087 { /type "allow" /method "GET" /extension 'json' "*.1.json" } 
    }

      To safely enable full functionality on the publish instances, configure filters to prevent access to the following nodes:

      • /etc/
      • /libs/

      Then, configure filters to allow access to the following node paths:

      • /etc/designs/*

      • /etc/clientlibs/*

      • /etc/segmentation.segment.js

      • /libs/cq/personalization/components/clickstreamcloud/content/config.json

      • /libs/wcm/stats/tracker.js

      • /libs/cq/personalization/* (JS, CSS and JSON)

      • /libs/cq/security/userinfo.json (CQ user information)

      • /libs/granite/security/currentuser.json (data must not be cached)

      • /libs/cq/i18n/* (Internalization)

    Once you are done with these configuration, Make sure you have proper logging configured to understand and debug the DDoS attack in your system. 
     
     
     

    Comments

    1. I read the above article and I got some knowledge from your article. It's actually great and useful data for us. Thanks for share it.Hire A Cell Phone Hacker

      ReplyDelete

    Post a Comment

    Popular Posts

    how to clear dispatcher cache in aem ?

    How Does S3 works with AEM ?

    How to Increase Apache Request Per Second ?

    AdobeDispatcherHacks ".statfile"

    How to Sync HMAC in AEM ?

    How to configure s3 in AEM ?

    AEM Security Headers

    Dispatcher flush from AEM UI

    How Encrypt-Decrypt Data in AEM , AEM Crypto Support ?

    Configure/Decoding AEM AuditLogs