DoS attack in the wild

István leccine at gmail.com
Tue Jun 23 11:46:35 MSD 2009


I am not able to reproduce this. The server is answering and serving
./slowloris.pl -dns doma.in -port 80 -timeout 2 -num 10000

The load is zero, there is not even a delay in the response time. Would you
mind to share your slowloris.pl command and/or the nginx relevant config, OS
type and version, sysctl.conf(or equivalent).

It would be also nice to know what the nginx is doing in that time, do you
have dtrace on that node? Enable debug level logging in nginx is a really
bad idea if you have 5000 requests...

*"But if you have enough attack computers, you also can make a Nginx server
deny service."*
*
*
If you have enough computer you can take down even google.com, this is not
relevant to this conversation, moreover the slowloris is a dedicated tool to
low bandwith/low amount of computers attacks.

Regards,
Istvan


On Tue, Jun 23, 2009 at 3:34 AM, Weibin Yao <nbubingo at gmail.com> wrote:

> István at 2009-6-22 20:40 wrote:
>
>> I wasn't able to raise the load above 0,1 with nginx-0.6.32 on freebsd.
>>
>> What did I wrong if nginx is affected "much stronger"?
>>
> Under this attack, Nginx just blocks all the sockets for
> client_header_timeout seconds, the load is always very low.
>
> In my tests, apache2 stops working when the attack number is above 500. I
> think maybe apache2 can't fork more processes or threads.
> But Nginx can survive when the attack number is below
> woker_processes*worker_connections. It's more difficult to attack Nginx than
> apache. But if you have enough attack computers, you also can make a Nginx
> server deny service.
>
> --
> Weibin Yao
>
>
>


-- 
the sun shines for all
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20090623/6eeae311/attachment.html>


More information about the nginx mailing list