DoS attack in the wild

Igor Sysoev is at rambler-co.ru
Sat Jun 20 16:41:48 MSD 2009


On Sat, Jun 20, 2009 at 03:33:40PM +0300, luben karavelov wrote:

> J??r??me Loyet wrote:
> >this attack works great on apache but I was unable, yet, to make it
> >works on nginx (0.8.3).
> >
> 
> On nginx it exhuases the available sockets. My setup is nginx-0.7.58 
> with cofig: :
> 
> worker_processes  4;
> worker_rlimit_nofile 5000;
> events {
>     worker_connections  2048;
>     use epoll;
> }
> 
> 
> and without the fixes I could DoS the server with:
> ./slowloris.pl -dns photomoment.bg -timeout 30 -num 10000 -tcpto 5
> 
> exhausts available sockets and the server stops replying to new requests.

5000 and 2048 are too small values in modern Internet, I use usually
about 200,000.

You need to increase
1) OS sockets limit,
2) OS network memory limits (buffers, etc.)
3) OS files limit,
4) OS per process files limit (worker_rlimit_nofile),
5) and finally, nginx's worker_connections.


-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list