Making secure web applications

What type of webserver are you running and Operating system?  Is it On-prem or Cloud-based server?

agreed, those are valid measures and concerns wherever they apply.

except ( again ) L7 aware firewall will not prevent a DOS. no firewall in the world can prevent the saturation of the upstream network. external services both have the firepower to handle some bulk traffic and work with their peers to block stuff early.

Agree even CDN like from Cloudflare may also have saturation points though thus far seems to be able to handle the large surge. Contingency planning is a big thing over my side to be prepared to keep business running

my point is expecting a firewall to protect you is as much of an utopia as expecting countermeasures at the webserver level to be effective. those work on application or protocol level ( including l3 tcp itself ) but not against someone just overloading your network link with whatever garbage.

just for the fun : https://www.digitalattackmap.com/

For DOS,  it is complicated without simply buying lots of extra bandwidth and/or redundant Internet connections. You could use Cloudflare for providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.

You have to work with your ISP's to mitigate massive DOS attacks. You can't do it yourself with hardware, only load balancers, IP filters ..etc because it's incredibly difficult to separate legitimate traffic from malicious traffic.

You may be able to consult with your ISP if it offers some DoS protection services. You can also attempt to delay, but not entirely stop, an attack by incorporating network perimeter defenses like timing out half-open connections and lowering the thresholds to drop specific traffic like ICMP. Ultimately, it's essential to have a plan in place if you need to escalate your mitigation efforts to a specialist or other third party.


https://access.redhat.com/discussions/686213
https://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html
https://www.netscout.com/ddos-protection
https://www.fortinet.com/products/ddos/fortiddos.html?fbclid=IwAR3bTIsxsvTKxPXH_cD3ctVzeGyAVWGhpwZ0lJ5URwiosUe2tzxvKHDuN0M 

totally agreed except for this

because it's incredibly difficult to separate legitimate traffic from malicious traffic.

no. it is not feasible at all even when the traffic is easy to differentiate because the link BEFORE whatever equipment you have will be saturated with garbage.

obviously that is not a good reason to ignore what you can mitigate so read carefully the above post(s) as they provide good hints

no. it is not feasible at all even when the traffic is easy to differentiate because the link BEFORE whatever equipment you have will be saturated with garbage.

Let me clarify it, DoS attacks are incredibly difficult to prevent, especially when botnets are involved. Attackers can evade DDoS defenses by generating traffic in a completely legitimate and organic manner without needing a botnet. Popular social sharing sites like Slashdot, Reddit, and Twitter have caused many websites to crash when someone submits a link to that site. This is called the Slashdot effect or slashdotting.
https://whatis.techtarget.com/definition/Slashdot-Effect

 

Legit traffic is hard to detect as it is the volumetric surge that requires the extended network to throttle as much possible. there are case of even going down to scrubbing of the traffic making it "legit" just to make sure traffic is not unwitting denied as this can impact business especially when visits and access are important. Defence in depth is needed to better protect your server. 
https://www.experts-exchange.com/articles/26039/Going-for-effective-DDoS-mitigation-measures.html

Understanding Denial-of-Service DOS Attacks is a must! The purpose of DoS attacks are to disrupt or disable the target system(s), like bringing down the web servers or applications that host a public-facing website. You should capture network traffic and analyze it. It is possible that your network is under a DDoS attack, and you need to verify it before you take further action.

DDoS attacks cannot be prevented. DDoS attacks generally use legitimate traffic to attack your websites or your network so that you cannot effectively defend against it. You can only improve detection by creating common inbound network profiles and respond immediately when they occur by throttling traffic or lowering drop thresholds.

https://www.comparitech.com/net-admin/dos-vs-ddos-attacks-differences-prevention
https://www.cloudflare.com/en-gb/learning/ddos/what-is-a-ddos-attack/
https://www.experts-exchange.com/questions/29171819/Follow-up-DDOS-attack.html#a43024888
https://us-cert.cisa.gov/ncas/tips/ST04-015

or a bunch or reverse proxies ( chrooted, running as nobody on dedicated machines preferably running from a read-only ramdisk ), each of them in their own vlan, forwarding to similar backend web server setups with limited required access to some writeable backend(s). using a single DMZ is imho a thing of the past. stuffing in an F5 may be feasible to those who have sufficient firepower... not sure the op is in that case, or has an internal network ( due to his other threads ).

Hardening is most useful as a preventive measure when designing system security.  Missing critical patches, strange configurations, setuid binaries .. etc. could be reasons for a backdoor.

Here are some useful resources:
https://www.open-scap.org/getting-started/
https://www.open-scap.org/security-policies/scap-security-guide/
https://cisofy.com/lynis/
https://www.cisecurity.org/cis-benchmarks/
https://www.owasp.org
https://owasp.org/www-project-top-ten/