Protecting nginx from syn flood and DOS vs legit heavy traffic

iDEV d.o.o. info at
Wed Jul 2 14:58:30 MSD 2008

Well, synflooding is more of a OS problem than it is a nginx problem,
since the connection is never actually established only initiated.
A severe TCP connect attack would impact nginx more, but the affect of it
can be
minimized with a small client_header_timeout and/or client_body timeout.

The synflooding can be somewhat managed with varios OS variables (sysctl),
I only use FreeBSD, but it might help you anyway, just look at
net.inet.tcp.drop_synfin (which is always good to be set to 1)
and other values of net.inet.tcp.syncache.* and net.inet.tcp.syncookies.

You can also limit the number of syn packets on your network to a
reasonable number per time unit.
The bottom line is, that the attacks are not avoidable but only managable.

On Tue, 01 Jul 2008 09:52:24 +0200, Bartlomiej Syryjczyk
<bartlomiej at> wrote:
> Hash: SHA1
> Rt Ibmer pisze:
> | We are using nginx as a public web server and need to do good common
> sense things to try and limit or prevent syn floods and related types of
> DOS attacks.
> |
> | I've researched iptables extensively and have found a lot of info on
> how to use it to limit syn floods and so forth.
> |
> | However these articles do not explain how to apply these iptable
> restrictions to public web servers that get very large amounts of
> traffic.  So I am hoping others here can share how they are using
> iptables, because I am concerned that I will inadvertently block good
> traffic!
> |
> | For instance, consider a case whereby a huge company with thousands of
> employees that all share one public IP when accessing the internet.
> Further, consider that everyone in the company gets an email that says
> to go to our site and review some web pages.
> |
> | In this scenario it is possible we could have a few thousand requests
> coming in all at the same time from the same IP, but be legitimate
> requests.  So I have to be very careful with the rules that can try (if
> possible?) to tell the difference between heavy traffic from the same IP
> (as in this scenario) vs. some bot hammering on the server.
> |
> | As another example, from the syn flood iptable rules I've seen I can't
> tell whether it is possible to detect the difference between syn packets
> that are purposeful vs a large number of syn packets for new connections
> that are rushing in but legitimate.
> |
> | Also as a side question - if a request comes in to nginx and nginx
> then uses proxy_pass to talk to an external server that handles the
> request, am I right to assume that as far as iptables is concerned this
> is an INPUT and not a FORWARD? In the case where we only want the public
> to access the nginx server is there ever a case where we may
> legitimately want to take FORWARD requests or should these all be
> |
> | I would GREATLY appreciate you sharing your thoughts on how to address
> this and approaches you have taken that may apply in this case too.
> |
> | For reference I am using the latest nginx 6 on Fedora 8 core.
> How do you limit the SYN packets (show your iptables rules)? Are you
> tried TCP SYN Proxy? pf from OpenBSD is good tool for that
> (
> - --
> Bartłomiej Syryjczyk
> Version: GnuPG v2.0.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla -
> iEYEARECAAYFAkhp4jgACgkQt25UBlJ9LC4Z7gCeLfEXqW3cWYg1TY3fqHgzyR2M
> jpQAn0tGqvqa4DS9aaVHwUVW8j4RPNZ9
> =on62

iDEV, podjetje za spletne storitve, d.o.o.
Tomaž Marhat, CEO
Brda 15A
SI-2383 � martno pri Slovenj Gradcu

VAT #: SI43028195
Company ID #: 2346265
Mobile #: +386 70 819 789

-- - Storitev portala (avtor: iDEV d.o.o.)

More information about the nginx mailing list