DDoS protection module suggestion

I’ve recently been hit pretty hard with a nasty DDoS attack on a site of
mine.

With Module ngx_http_limit_req_module and
http://wiki.nginx.org/HttpLimitZoneModule I was able to mitigate the
attack reasonably well, but neither of these modules do what I’d really
like to have done - temporarily serve only a plain 4xx or 5xx error
message to any IP that is exhibiting clearly abusive behavior, like
requesting the exact same page over and over again, or attempting to
make a large amount of parallel connections (100+) at once. This should
be in effect for a configurable amount of time, but just 10 minutes or
so would have worked well against my recent attack, as each attacking
bot only tends to attack for a few minutes before its replaced by
another bot.

So my suggestion is either adding functionality to the Limit modules, or
adding a new DDoS module which would use a set amount of memory to keep
tab of all IPs that have requested anything in the past 10-15 seconds,
and can mitigate DDoS attacks by analyzing recent request and connect
patterns by IP.

Posted at Nginx Forum:

malte at 2010-11-3 10:19 wrote:

I’ve recently been hit pretty hard with a nasty DDoS attack on a site of
mine.

With Module ngx_http_limit_req_module and
http://wiki.nginx.org/HttpLimitZoneModule I was able to mitigate the
attack reasonably well, but neither of these modules do what I’d really
like to have done - temporarily serve only a plain 4xx or 5xx error
message to any IP that is exhibiting clearly abusive behavior, like
requesting the exact same page over and over again, or attempting to
make a large amount of parallel connections (100+) at once.
limit module can also limit the concurrent request uri.

http {

limit_zone one $part_of_uri 10m;

server {
location /download/ {
set $part_of_uri “download”;
limit_conn one 100;
}
}
}

I have not tested it yet, you can have a try.

patterns by IP.
Posted at Nginx Forum:
DDoS protection module suggestion


nginx mailing list
[email protected]
nginx Info Page


Weibin Y.

Am 03.11.2010 um 03:19 schrieb malte:

I’ve recently been hit pretty hard with a nasty DDoS attack on a
site of
mine.

What demographic does the site serve?
If it’s country-specific, you can use
http://wiki.nginx.org/HttpGeoIPModule
and block most of the bad guys.

In the case I had, the site was only of interest to a very limited
(but sharply distinguishable) amount of the world-population :wink:

Nginx handled millions and millions of requests in a couple of hours
just to display some 403 page.

I created an “exception” config to handle the handful of other IPs
that needed to have access.

If the site’s audience is truly global, it’s very difficult.

Apart from the fact that in a true DDoS scenario (in the mentioned
case, we’re talking about 200something attacking hosts), you’d need
NGINX to be sitting next to your peering points upstream.

Rainer

Yes, I am aware that you can limit the max connections with the limit
zone module.
What I’d like to do is establish an in-memory list of abusive IPs, which
gets no responses other than 503 errors no matter what request they
make. Since they are abusive, I want nginx to automatically spend the
least amount of processing power on them as possible.

Posted at Nginx Forum:

My friend’s website promoting freedom of speech in communist Vietnam has
recently been brought down by a 400k+ IP DDOS launched affirmatively by
a government-sponsored cyber army. I’ve been asked for some ideas, and
have had some experienced warding off some minor DDOS on my own
non-political website.

Anyway, I’ve read this great discussion thread and came up with an idea
that I think might work, especially for us individual webmasters who
can’t afford large distributed networks that can absorb such massive
attacks. It is as follows, please let me know your thoughts:

  1. Use iptables to redirect all traffic to reCaptcha validation page
  • reCaptcha generation is handled by Google’s distributed network
    designed to withstand DDOS
  • the reCaptcha validation page is therefore a static page and does not
    weigh down your server’s processing power
  1. Once validated, the IP is added to iptables Allow list, and the user
    is redirected back to homepage
  • entries that have been idle for some time should be removed from the
    list

Posted at Nginx Forum:

If the site’s audience is truly global, it’s very
difficult.

Apart from the fact that in a true DDoS scenario
(in the mentioned
case, we’re talking about 200something attacking
hosts), you’d need
NGINX to be sitting next to your peering points
upstream.

This site has an emphasis on US, but still US traffic only makes up 40%
of the traffic, the rest is largely Canada, Western Europe and
Australia, but there is also a fair amount of India, Russia and Pakistan
in there, so I would say the GeoIP idea wouldn’t serve us well.

We had about 50k attacking hosts attacking over the course of 24h.

Posted at Nginx Forum:

ken107 at 2010-12-26 17:49 wrote:

You also can use my nginx_secure_cookie_module(https:
//github.com/yaoweibin/nginx_secure_cookie_module)to add some secure
cookie after reCaptcha validation.

Posted at Nginx Forum:
Re: DDoS protection module suggestion


nginx mailing list
[email protected]
nginx Info Page


Weibin Y.

Extended description of HttpLimitZoneModule and HttpLimitReqModule usage
with examples and how to exclude a whitelist of IPs can be found here