DDoS protection module suggestion

ken107 nginx-forum at nginx.us
Sun Dec 26 12:49:01 MSK 2010

My friend's website promoting freedom of speech in communist Vietnam has
recently been brought down by a 400k+ IP DDOS launched affirmatively by
a government-sponsored cyber army.  I've been asked for some ideas, and
have had some experienced warding off some minor DDOS on my own
non-political website.

Anyway, I've read this great discussion thread and came up with an idea
that I think might work, especially for us individual webmasters who
can't afford large distributed networks that can absorb such massive
attacks.  It is as follows, please let me know your thoughts:

1. Use iptables to redirect all traffic to reCaptcha validation page
- reCaptcha generation is handled by Google's distributed network
designed to withstand DDOS
- the reCaptcha validation page is therefore a static page and does not
weigh down your server's processing power

2. Once validated, the IP is added to iptables Allow list, and the user
is redirected back to homepage
- entries that have been idle for some time should be removed from the

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,147105,161145#msg-161145

More information about the nginx mailing list