Protection against massiv requests from single server / ip

W-Mark Kubacki wmark+nginx at
Sun Jan 31 15:35:52 MSK 2010

2010/1/31  <adk1601 at>:
> What are your setups against a lot of request from single servers?

For larger installations firewalls or properly configured routers
before any servers.

For tiny, home and experimental setups iptables [1] with rules such as:
-A INPUT -s 300.300.300.0/24 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 120 --name ATTACKER --rsource -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
-A syn-flood -m limit --limit 14/sec --limit-burst 30 -j RETURN
-A syn-flood -j LOG --log-prefix "Firewall: SYN-flood "
-A syn-flood -m recent --set --name ATTACKER --rsource
-A syn-flood -j DROP
... where lots of requests equal a syn-flood.
    But beware, someone could exploit these rules by forging source
IPs (see source address validation [2]) and your server is still doing
work discarding these request packets, therefore could become
unresponsive if the request amount is very high (at least take a look
on syncookies [3]).

W-Mark Kubacki


More information about the nginx mailing list