没有灵丹妙药，但是您可以通过以下一些操作来使DoS攻击更加困难：

There's no panacea, but you can make DoS attacks more difficult by doing some of the following:

• 不要（或限制您的愿意）代表未经身份验证的客户端执行昂贵的操作


• 节流身份验证尝试


• 代表每个经过身份验证的客户端执行的节流操作，并放置其帐户如果他们在短时间内做了太多事情，则将其暂时锁定


• 对所有未经身份验证的客户端具有类似的全局限制，如果检测到正在进行的攻击，则准备降低此设置


• 具有可在攻击过程中使用的标志，以禁用所有未经身份验证的访问


• 不要代表未经身份验证的客户端存储内容，并使用配额以限制每个经过身份验证的客户端的存储空间。


• 通常，请尽快拒绝所有格式错误，不合理复杂或不合理的巨大请求（并记录它们以帮助检测攻击）


• 如果未经身份验证的客户端发出的请求可能导致将该缓存中的内容逐出，请不要使用纯LRU缓存，因为您将遭受缓存中毒攻击（恶意客户端会在其中要求对于很多其他不常用的东西，导致您从缓存中逐出所有有用的东西，需要做更多的工作来服务您的合法客户）

• Don't (or limit your willingness to) do expensive operations on behalf of unauthenticated clients
• Throttle authentication attempts
• Throttle operations performed on behalf of each authenticated client, and place their account on a temporary lockout if they do too many things in too short a time
• Have a similar global throttle for all unauthenticated clients, and be prepared to lower this setting if you detect an attack in progress
• Have a flag you can use during an attack to disable all unauthenticated access
• Don't store things on behalf of unauthenticated clients, and use a quota to limit the storage for each authenticated client
• In general, reject all malformed, unreasonably complicated, or unreasonably huge requests as quickly as possible (and log them to aid in detection of an attack)
• Don't use a pure LRU cache if requests from unauthenticated clients can result in evicting things from that cache, because you will be subject to cache poisoning attacks (where a malicious client asks for lots of different infrequently used things, causing you to evict all the useful things from your cache and need to do much more work to serve your legitimate clients)

请记住，彻底拒绝受限制的请求很重要（例如，使用 HTTP 503：服务不可用响应或适用于您所使用的任何协议的类似响应），而不是对受限制的请求进行排队。如果您将它们排入队列，队列将耗尽所有内存，DoS攻击至少会像没有节流一样有效。

Remember, it's important to outright reject throttled requests (for example, with an HTTP 503: Service Unavailable response or a similar response appropriate to whatever protocol you are using) rather than queueing throttled requests. If you queue them, the queue will just eat up all your memory and the DoS attack will be at least as effective as it would have been without the throttling.

更多针对HTTP服务器的具体建议：

Some more specific advice for the HTTP servers:

• 确保您的网络服务器配置为拒绝 POST 没有附带 Content-Length 标头的消息，并拒绝超出规定的 Content-Length 的请求（并限制违规客户端） code>，并拒绝带有 Content-Length 的请求，该请求对于 POST 的服务时间过长>（或 PUT ）的目标是

• Make sure your web server is configured to reject POST messages without an accompanying Content-Length header, and to reject requests (and throttle the offending client) which exceed the stated Content-Length, and to reject requests with a Content-Length which is unreasonably long for the service that the POST (or PUT) is aimed at