Protecting nginx from syn flood and DOS vs legit heavy traffic
rtibmx at yahoo.com
Sat May 17 20:06:36 MSD 2008
We are using nginx as a public web server and need to do good common sense things to try and limit or prevent syn floods and related types of DOS attacks.
I've researched iptables extensively and have found a lot of info on how to use it to limit syn floods and so forth.
However these articles do not explain how to apply these iptable restrictions to public web servers that get very large amounts of traffic. So I am hoping others here can share how they are using iptables, because I am concerned that I will inadvertently block good traffic!
For instance, consider a case whereby a huge company with thousands of employees that all share one public IP when accessing the internet. Further, consider that everyone in the company gets an email that says to go to our site and review some web pages.
In this scenario it is possible we could have a few thousand requests coming in all at the same time from the same IP, but be legitimate requests. So I have to be very careful with the rules that can try (if possible?) to tell the difference between heavy traffic from the same IP (as in this scenario) vs. some bot hammering on the server.
As another example, from the syn flood iptable rules I've seen I can't tell whether it is possible to detect the difference between syn packets that are purposeful vs a large number of syn packets for new connections that are rushing in but legitimate.
Also as a side question - if a request comes in to nginx and nginx then uses proxy_pass to talk to an external server that handles the request, am I right to assume that as far as iptables is concerned this is an INPUT and not a FORWARD? In the case where we only want the public to access the nginx server is there ever a case where we may legitimately want to take FORWARD requests or should these all be blocked?
I would GREATLY appreciate you sharing your thoughts on how to address this and approaches you have taken that may apply in this case too.
For reference I am using the latest nginx 6 on Fedora 8 core.
More information about the nginx