I’ve recently been hit pretty hard with a nasty DDoS attack on a site of
mine.
With Module ngx_http_limit_req_module and http://wiki.nginx.org/HttpLimitZoneModule I was able to mitigate the
attack reasonably well, but neither of these modules do what I’d really
like to have done - temporarily serve only a plain 4xx or 5xx error
message to any IP that is exhibiting clearly abusive behavior, like
requesting the exact same page over and over again, or attempting to
make a large amount of parallel connections (100+) at once. This should
be in effect for a configurable amount of time, but just 10 minutes or
so would have worked well against my recent attack, as each attacking
bot only tends to attack for a few minutes before its replaced by
another bot.
So my suggestion is either adding functionality to the Limit modules, or
adding a new DDoS module which would use a set amount of memory to keep
tab of all IPs that have requested anything in the past 10-15 seconds,
and can mitigate DDoS attacks by analyzing recent request and connect
patterns by IP.
I’ve recently been hit pretty hard with a nasty DDoS attack on a site of
mine.
With Module ngx_http_limit_req_module and http://wiki.nginx.org/HttpLimitZoneModule I was able to mitigate the
attack reasonably well, but neither of these modules do what I’d really
like to have done - temporarily serve only a plain 4xx or 5xx error
message to any IP that is exhibiting clearly abusive behavior, like
requesting the exact same page over and over again, or attempting to
make a large amount of parallel connections (100+) at once.
limit module can also limit the concurrent request uri.
http {
limit_zone one $part_of_uri 10m;
server {
location /download/ {
set $part_of_uri “download”;
limit_conn one 100;
}
}
}
In the case I had, the site was only of interest to a very limited
(but sharply distinguishable) amount of the world-population
Nginx handled millions and millions of requests in a couple of hours
just to display some 403 page.
I created an “exception” config to handle the handful of other IPs
that needed to have access.
If the site’s audience is truly global, it’s very difficult.
Apart from the fact that in a true DDoS scenario (in the mentioned
case, we’re talking about 200something attacking hosts), you’d need
NGINX to be sitting next to your peering points upstream.
Yes, I am aware that you can limit the max connections with the limit
zone module.
What I’d like to do is establish an in-memory list of abusive IPs, which
gets no responses other than 503 errors no matter what request they
make. Since they are abusive, I want nginx to automatically spend the
least amount of processing power on them as possible.
My friend’s website promoting freedom of speech in communist Vietnam has
recently been brought down by a 400k+ IP DDOS launched affirmatively by
a government-sponsored cyber army. I’ve been asked for some ideas, and
have had some experienced warding off some minor DDOS on my own
non-political website.
Anyway, I’ve read this great discussion thread and came up with an idea
that I think might work, especially for us individual webmasters who
can’t afford large distributed networks that can absorb such massive
attacks. It is as follows, please let me know your thoughts:
Use iptables to redirect all traffic to reCaptcha validation page
reCaptcha generation is handled by Google’s distributed network
designed to withstand DDOS
the reCaptcha validation page is therefore a static page and does not
weigh down your server’s processing power
Once validated, the IP is added to iptables Allow list, and the user
is redirected back to homepage
entries that have been idle for some time should be removed from the
list
If the site’s audience is truly global, it’s very
difficult.
Apart from the fact that in a true DDoS scenario
(in the mentioned
case, we’re talking about 200something attacking
hosts), you’d need
NGINX to be sitting next to your peering points
upstream.
This site has an emphasis on US, but still US traffic only makes up 40%
of the traffic, the rest is largely Canada, Western Europe and
Australia, but there is also a fair amount of India, Russia and Pakistan
in there, so I would say the GeoIP idea wouldn’t serve us well.
We had about 50k attacking hosts attacking over the course of 24h.
