avoid

How to prevent a DDoS attack (or a Brute-force attack)



Sharing buttons:

hey guys welcome back again so in this

video let's see that what is a brute

force attack

and how do we handle a brute force

attack on a node.js server

and then we'll also be looking into that

what is a ddos attack

so before seeing that how to mitigate a

brute force attack or a ddos stack first

let's understand that what is a brute

force attack

or a dos attack so now suppose you

created your server

by spending hours and hours of work into

it to create a great api

and then some attacker wants to attack

your server the easiest way

is to send hundreds and thousands of

requests to your server so that the

server is busy responding to those

requests

and not the request that is sent by an

actual client or the normal client or

the normal user

that is you using your api and the

server would be

continuously busy in responding to those

hundreds and thousands of requests that

is sent by the attacker

and this type of attack is known as a

dos attack that is the server has denied

the request that is made by an actual

client because it is completely busy

in responding to the hundreds and

thousands of requests sent by an

attacker

and similarly a brute force attack is a

similar kind of attack in which

now suppose you have a login route in

which the user

enters his email or password to make a

login request

now if an attacker wants to login inside

your application

and he wants to impersonate someone so

what he will do

he will try to use a combination of

email and passwords from a dictionary

and he will try to make hundreds and

thousands of requests to your server

to make a login request until and unless

one succeeds

so therefore you need to make a check

that only a certain number of requests

are allowed per minute or per hour

depending on your api so now let's look

at that what is a ddos attack

and again we have a server and then here

the first d means distributed denial of

service

which means that it is not only limited

to a single attacker

but here what an attacker will do he

would use multiples of computers or

multiple pcs on the internet

to exploit your server by making

thousands and thousands of requests from

those computers that are solely meant

for this purpose

that is to make the server unstable and

so that the actual client who is trying

to access your api

is not able to access the api because

the server is

too busy responding to the attacker's

request

and now what are the solutions to

mitigate a dos attack a brute force

attack or a ddos attack

firstly we have the capture and the

recaptcha it is a simple that is i am

not a robot thing that you always see on

different pages

or you need to verify by clicking on

some sign boards

so but this only works great for login

and register forms

but this captcha and recapture doesn't

works for an api that is an api access

cannot be blocked or limited because

when you try to access an api there is

no captcha or recaptcha

or an image which you can verify it is

dynamically sent

and for that what we can use we can use

our rate limiter

which is alternatively known as the

incremental delay or request throttling

so this is a very good thing to use

inside any of your api that you are

building

and here an api access can also be

blocked and rate limited

so now let's understand that what is the

rate limiter and how does it help us

and that's what we are going to do in

this video so basically it's a very

simple technique that is used to control

the incoming and outgoing traffic from

your server

so what it will do it will limit the

number of requests a client can make

in a particular time window that is if

you allow your api to be accessed

like a like for example a login route to

be accessed only five times per se

per minute then you can do that and if

you want to make your api access

that is if you are serving some blog

post that you want the client to only

access

a couple of times per hour then also you

can use the same thing on that

particular

route and therefore it helps us in

mitigation of the brute force dos and

ddos attacks

so now let's jump into vs code and let's

see that how do we apply rate limiting

inside our node.js application

using express framework so here what

i've done is that i have created a very

basic express application and you all

know that how to create a express

application

and then finally we are listening on

port 3000 so let's

start this application by doing npm

start because i've created a start

script in my package.json file here

as we can see here that is nodemod

app.js

and if you haven't installed node one

globally then you can simply do npm

install hypheng

nodemon and it helps us to restart our

application as soon as it sees changes

in our dot js files

so let's run this application by doing

npm start

so our server is on port 3000 and if we

go to this

file here that is rest.http so here this

file is used to send http request to our

server that is the server which we are

running

and for this i'm using this extension

inside vs code that is called restline

and it's a very nice extension to use

whenever you are building your api

and i've got a video about this and if

you want to learn more about this

extension then you can go and watch that

video i'll link to that in the

description below

so now if you want to make a request to

this home route that is this route

so let's simply click here that is send

request and here we get back hello from

our rate limited

app and similarly we can send these

requests to any other route at which we

have inside our application

so now typically what happens right now

that if i want to make a request to this

login route

i can click this again and again and

again and again and

i'm making hundreds and thousands of

requests to this login route here

and similarly if i want to make a

request here that is this

get route here that is the home route i

can send hundreds and thousands of

requests to this route because

this route is not rate limited and what

will happen is that the server would be

pissing

in responding to my request and not an

actual client's request

so now to mitigate this thing let's see

that how do we rate limit this

application

so for that i am going to stop my server

here

and for this i am going to install a new

package here so npm

install hyphen iphone save express

rate limit

and now if we go to our package.json

file we see that we have this

package installed and now we need to

require this package inside our app.js

file

so let me require it here so const

limiter

equal to require express rate limit like

this

and now if you want to rate limit your

application as in whole

that is for each of the routes you want

to limit your application to have

certain number of requests per minute or

per hour or so

so what we can do we can use this

limiter as a middleware

inside our whole app so what we can do

we can simply say

app dot use a limiter

and then we can pass in an object here

so the first

thing which we need to pass here is the

window time

and this is the time window so let's see

if we pass here five seconds

so for 5 seconds we need to pass on 5000

because this takes

time in milliseconds and then we can

pass in one more property here

that is the maximum number of request

which is allowed for 5 seconds

so let's press pass 5 here for

maximum five requests per five seconds

so now let's save this application and

let's restart this application by doing

npm

start and now let's go to this rest.http

and now let's make a request here to

this home route

so we see that we are getting back the

response

but now let me quickly do five request

within five seconds so let me make five

requests within five seconds

and we see here that this time we are

getting too many requests please try

again later

so now if we if we try to access this

route within five seconds then we are

going to get this message

and if you want to change this message

what you can do you can pass in another

property here

and that is the message property here

and here you can pass in either a string

or you can pass in an object here

so here we can simply pass in the code

here that is four to nine

and that is an http code for uh too many

requests

and then you can pass in an actual

message here so message

too many requests or your custom message

here

whatever you want so let's save this and

now let's again try to make this request

so again we are getting back the

response from the

this route here that is hello from our

rate limited app and we see here that we

get this thing here that is

x rate limit header and the limit is 5

and then we have the

rate limit remaining that is the number

of requests which we can make within the

window time

that is this five seconds window here

and then we again have this header here

that is x

rate limit reset that is the time at

which our

limit would be again be reset to 5

that is this thing here but that is the

maximum number of requests

so this time let me again quickly make a

number of requests here that is within 5

seconds i want to make more than 5

requests

so we see that is 5 2 1 0

and this time we are getting this

message here that is the status quo is 4

to 9 and the message is too many request

so now this is for the whole application

that is if you want to

rate limit whole of your application but

what if if you want to only limit

the number of request only on certain

routes that is if you want to limit the

number of registrations on your

application

then what we can do we can simply

comment this thing out from here

and let's make a function here that is

ah let me close this thing from here and

here what i'll do

i'll create a function here that is

const register limiter

and this should be equal to

limiter and here we can pass in the

object here

that is window in milliseconds and here

let's say our time window is 5 minutes

so let's translate that into

milliseconds so 5 into 60 in 2000

like this and then the maximum number of

registrations which we want inside 5

minutes

let's say 2 that is no client can

register to our application

more than 2 times within this five

minute window

so let's save this and here inside the

post request not in the get triggers

because you always want to send a get

request to your client

or otherwise you can pass in here a

general limiter that is

only a client can access this page a

certain number of times

that is to prevent a dos attack

but now here let me simply handle the

post route and here what we can do we

can simply pass in register limit

limiter as the middleware here inside

this route that is post route here

so let's save this and now if we

make a get request to this register page

here we see that we are getting the

registered page back

and this should be our typical html page

or whatever

and to register to your application you

need to make a post request

so let's send a request here and we see

that this

x rate limit is two and the rate limit

remaining is one

that is within five minutes we can only

register two times

so let's again make a request to this

register route

and we see that our remaining limit is

zero and the maximum limit is reached

so if we make our request again that is

if we want to

register another user to this route then

we have to wait for five minutes

and we see here that we are getting this

message here that is too many requests

please try again later

and this message you can customize it

yourself as i have told here

that is what the message is and the

similar thing what you can do

is to create another limiter for your

login request

so let's say const login limit

equal to limiter and then

this should again take an object here

and for this thing what we want to do

that is within one minute window we do

not want to handle more than

five requests so window in milliseconds

and one into 60

times thousand

and then the maximum number of

request that a user can make to the

login route

is suppose say five

so now let's save this application again

and this time

we are going to apply this login limit

so this post out here that is post login

and here we can say login limit like

this

and this should be thousand or ten

thousand so let's save this

and let's restart our application

and now let's go to our risk line and

here if i'll make a post request to our

login route that is to make the user

login

i can only try five times to make a user

login within a window of one minute

so let's make a request and we see that

the total rate limit are provided to us

first five

and the remaining request which we can

make to this post route here is four

and the time at which this limit would

be reset is this time here and that is

the unix time here

and now let's make a request here and we

see

that finally after five tries within one

minute we are getting this message here

and again this message can be changed

but

this rate limit is only for this post

route here

not this get route if we want to make a

gate request to this lock-in

route here we can simply make it because

this route is not protected

only this route is protected so if we

again try to make this request

we see that we are getting okay here and

now

one minute window is over for five

requests so now let's make a request

here we are getting this thing here

but if we try to make a request here we

cannot access this

route here because this route is rate

limited

so guys that's all about this video so

if you liked the video do hit the like

button and if you haven't subscribed to

the channel do subscribe to our channel

and press the bell icon and if you want

you can support me on the links given in

the description

below so thank you bye tata take care

and have a good day