Protection against massiv requests from single server / ip

Hello Nginx community,

what is the best way protecting my nginx webserver against massiv
request from single server/ips? I made some tests with openload and see
one server with openload can fill the whole 100Mbit connection to my
server.

What are your setups against a lot of request from single servers?

Thanks for your help.

Kind regrads.

Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox
3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/atbrowser


Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox
3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/atbrowser

On 1/31/10 2:36 AM, [email protected] wrote:

Hello Nginx community,

what is the best way protecting my nginx webserver against massiv request from single server/ips? I made some tests with openload and see one server with openload can fill the whole 100Mbit connection to my server.

http://wiki.nginx.org/NginxHttpLimitReqModule

http://wiki.nginx.org/NginxHttpLimitZoneModule

These should do the trick for you.


Jim O.

2010/1/31 [email protected]:

What are your setups against a lot of request from single servers?

For larger installations firewalls or properly configured routers
before any servers.

For tiny, home and experimental setups iptables [1] with rules such as:
-A INPUT -s 300.300.300.0/24 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 120 --name ATTACKER --rsource -j
DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
-A syn-flood -m limit --limit 14/sec --limit-burst 30 -j RETURN
-A syn-flood -j LOG --log-prefix "Firewall: SYN-flood "
-A syn-flood -m recent --set --name ATTACKER --rsource
-A syn-flood -j DROP
… where lots of requests equal a syn-flood.
But beware, someone could exploit these rules by forging source
IPs (see source address validation [2]) and your server is still doing
work discarding these request packets, therefore could become
unresponsive if the request amount is very high (at least take a look
on syncookies [3]).


W-Mark K.
http://mark.ossdl.de/

[1] http://www.netfilter.org/
[2] http://tools.ietf.org/wg/savi/
[3] http://en.wikipedia.org/wiki/SYN_cookies

Hello Jim,

thanks for your help. I am right that HttpLimitReq and HttpLimitZone is
a per user limit? Every client (ip) get this limit and not all client
together?

Is $binary_remote_addr the right value if my nginx is behind haproxy? Or
must i use something like X-Real-IP, i am not sure how i can debug what
$binary_remote_addr includes behind haproxy, perhaps it is the haproxy
ip and not the clients ip address?

Kind regards

-------- Original-Nachricht --------

Datum: Sun, 31 Jan 2010 02:46:32 -0500
Von: Jim O. [email protected]
An: [email protected]
Betreff: Re: Protection against massiv requests from single server / ip

http://wiki.nginx.org/NginxHttpLimitZoneModule
http://nginx.org/mailman/listinfo/nginx

GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs