Implications on DoS/DDoS with non-blocking frameworks

Question

Are there any inherent advantages or disadvantages when it comes to handling DDoS attacks on an application running a non-blocking framework like node.js?

As I understand it, these attacks overload the system resources with a ton of requests - causing it to fail. Non-blocking frameworks are able to handle many more concurrent requests than blocking ones. Shouldn't that mean that using non-blocking frameworks by nature help mitigate these types of attacks?

I realize there are other factors involved in mitigating these attacks, but with all other things equal, is this a correct assumption?

Answer 1

A non-blocking service will generally make more system resources available to users than a blocking service. Until all system resources are used up by the attack a non-blocking service will perform better in that legitimate users can still fulfill requests while the attack is happening. That is, real users will not have to wait for the attackers bogus requests to complete before the system starts processing legitimate requests. But given the greater exposure to system resources a DDoS attack can be more effective on a non-blocking service.

Say for example the limiting factor is database access. A non-blocking service has a greater ability to make more DB requests than the blocking service. So while the non-blocking service may still accept legitimate user requests, they will have a harder time completing the database access because the attackers requests are better able to keep the DB under load.

So I'd say yes - non-blocking is better - but only if you can make sure that downstream resources are sized appropriately.

Answer 2

A DDoS atack can target different services, such as ddns,web server, database ar can have different effects, like overloading the server it self, or the cpu, or fulling the ram, or trying to write to the disk many files so to fill it(more rare today) or just write more data that can write.

One very common use of DDoS that will explain your question, is targeting to create more concurent connections than the server can handle. A typical default value for a web server is 256 (or 512 in many systems) concurrent attempts to create a connection. In a linux system you can change the value manually here for example /proc/sys/net/ipv4/tcp_max_syn_backlog. So by making more than conenctions (sending packets with syn flag), it will cause a denial of service. So the framework you use have no meaning at first place.

Furthermore, non-blocking frameworks making more requests per second that blocking, something that will help in many cases that attacker. In some servers and/or configuration this will create one instance per request that will help more the attacker.

So your assumption is wrong.

Answer 3

Unfortunately nodejs will not help with DDoS, as it can be simply overloaded just as any other server and the fact is non-blocking doesnt change anything, in fact can kill server faster, because it will try to process more request without queuing them.