Name resolution and opening connections

Ricardo Iramar dos Santos riramar at
Mon Sep 12 18:56:24 UTC 2016

Hi All,

This is my second post here so take easy on me.
I'm doing a security research about web servers and ddos
amplification. My guess is that web servers probably can reflect
HTTP(S) requests and be a "good" ddos amplification.
So maybe the best way to find this "reflected request" is looking
inside the code for functions like gethostbyname (since maybe the
server need to get the IP before open a connection).
Searching on github I was able to find only one .c file (ngx_inet.c)
in the line 1271 below:

h = gethostbyname((char *) host);

Some lines below that it seems the code is opening a socket connecting
(sorry... I'm not familiar with nginx code).

sin = ngx_pcalloc(pool, sizeof(struct sockaddr_in));
if (sin == NULL) {
return NGX_ERROR;
sin->sin_family = AF_INET;
sin->sin_port = port;
sin->sin_addr.s_addr = *(in_addr_t *) (h->h_addr_list[i]);
u->addrs[i].sockaddr = (struct sockaddr *) sin;
u->addrs[i].socklen = sizeof(struct sockaddr_in);
len = NGX_INET_ADDRSTRLEN + sizeof(":65535") - 1;

My question is this the best approach to reach my goal? In which case
the piece of code above would be invoked?
Sorry for the inconvenient for so many questions and I really
appreciate any help.

Ricardo Iramar

More information about the nginx-devel mailing list