Block dos attack nginx behind cloudflare and loadbalancer

dubstep · March 28, 2012, 9:35am

i have 4 webserver behind cloudflare and a loadbalancer, nginx is the
web browser, php-fpm manage the php pages. i don’t know how to block a
simple dos attack …

i’m able to detect this attack by use the http_limit_req module from
nginx Module ngx_http_limit_req_module

but this is not block the attack at all, yes can mitigate but webservers
are hit and hit again, and php-fpm goes to 80% and in a minute the
website is unreachable.

i’m trying to find a way to block this kind of request.

i know how to block certain ip address or certain useragent with nginx
but i want to do it automatically. I think that i cannot block the ip
with iptables because the request come from the loadbalancer but i’m
still able to detect the correct ip address with the set_real_ip_from
and real_ip_header X-Forwarded-For with nginx.

i have the log file (error.log) filled with the correct ip address as
you can see:

2012/03/27 18:34:02 [error] 31234#0: *1283 limiting connections by zone
“staging”, client: XX.XX.XX.XXX, server: www.xxxxxxx.com, request: “HEAD
/it HTTP/1.1”, host: “www.xxxxxxx.com”

Someone have an idea and can teach me how to block automatically this
ip?

thanks in advance!

Posted at Nginx Forum:

ilmetu · March 28, 2012, 10:53am

Hi,

On Mar 28, 2012, at 11:34 AM, ilmetu wrote:

2012/03/27 18:34:02 [error] 31234#0: *1283 limiting connections by zone
“staging”, client: XX.XX.XX.XXX, server: www.xxxxxxx.com, request: “HEAD
/it HTTP/1.1”, host: “www.xxxxxxx.com”

Someone have an idea and can teach me how to block automatically this
ip?

Can you show your limit_conn/limit_req configuration?

http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

ilmetu · March 28, 2012, 11:16am

hi, this is my configuration :

# Create a global request accounting pool to prevent DOS
 limit_zone staging $binary_remote_addr 5m;
 limit_conn staging 5;

Posted at Nginx Forum:

ilmetu · March 28, 2012, 11:43am

Hello!

On Mar 28, 2012, at 13:15 , ilmetu wrote:

hi, this is my configuration :

Create a global request accounting pool to prevent DOS
limit_zone staging $binary_remote_addr 5m;
limit_conn staging 5;

You’re trying to limit a number of connections using limit_conn module.
The thing is that a lot of requests may proceed through a single
connection.

If you want to set a maximum allowed requests rate, you should use
limit_req module instead:

http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

Best regards,
Andrey.