Preventing DOS?

[eliott]

On 3/1/08, Neil Sheth <nsheth at gmail.com> wrote:
> Hello -
>
>  I'm looking at ways to prevent / mitigate DOS attacks, hopefully at
>  the nginx level (using it as a reverse proxy).  I see the limit zone
>  module - is this sufficient?  What are some reasonable values for
>  max_clients_per_ip?  Is there anything similar to apache's mod_evasive
>  module?  Or other suggested mechanisms?
>
>  Thanks!

I wouldn't think that layer 7 is a good place to attempt DOS
mitigation. If you have some high computation scripts that people
might try to overload your server by hitting repeated (service
overload), then maybe.. but if you are talking about a 'classic'
network based DOS, then probably not.

By that time, the system would effectively be inundated with enough
network connections to have problems with service anyway.