Dealing with Layer 7 DDoS attacks (RUDY, Slowloris, etc)

Hi guys,

I am curious as to how nginx deals with DDoS attacks that attack
through app layer, layer 7. I managed to find this page:

http://blog.rayfoo.info/2009/10/testing-slowloris-against-nginx

which claims that nginx is susceptible to the attack. Since this is
from 2009, has anything changed?

Also, has anyone tested nginx vs R-U-DEAD-YET (RUDY)? I haven’t found
any tests online…

http://code.google.com/p/r-u-dead-yet/

I ask because these types of attacks are becoming extremely common and
hacktivist groups are using these simple tools to bring down all kinds
of large sites.

Thanks for any insight,

Mel

Reading that article it says:
“So nginx is a good web server, use it! [image: ;)]”

Their conclusion was that nginx handles that type of attack very well
and
you would need a DDoS attack (and a large one at that) to bring down a
single nginx server. Are there other examples of attacks that you have
found that nginx is susceptible to? I have not heard of any
specific vulnerabilities of nginx that are not common to any other
webserver
like simple bandwidth flooding.

Rami

Rami,

Right, nginx does seem to handle SlowLoris attack better than most web
servers. However, there’s Apache 2 patch that mitigates SlowLoris really
well (you can find it with a quick search). I don’t know if nginx is on
the
same level as Apache2+patch.

However, I have no idea how well nginx can sustain under a
small/moderate
RUDY attack. RUDY is one of the newer attacks that’s gained a lot of
popularity in recent months.

Mel

Please put more review for RUDY.
Sounds interesting.
Is there any way to avoid web form attack?

Thank You.

Regards,
Joe

Hello!

On Mon, Jul 25, 2011 at 01:09:50PM -0400, Mel B. wrote:

I am curious as to how nginx deals with DDoS attacks that attack
through app layer, layer 7. I managed to find this page:

http://blog.rayfoo.info/2009/10/testing-slowloris-against-nginx

which claims that nginx is susceptible to the attack. Since this is
from 2009, has anything changed?

Not really. As link suggests nginx handles this type of attacks
well as is. There is a room for improvement though.

Also, has anyone tested nginx vs R-U-DEAD-YET (RUDY)? I haven’t found
any tests online…

http://code.google.com/p/r-u-dead-yet/

This type of attacks could be easily mitigated with limit_zone
module[1].

[1] http://wiki.nginx.org/HttpLimitZoneModule

Maxim D.