Protection against massiv requests from single server / ip
wmark+nginx at hurrikane.de
Sun Jan 31 15:35:52 MSK 2010
2010/1/31 <adk1601 at gmx.de>:
> What are your setups against a lot of request from single servers?
For larger installations firewalls or properly configured routers
before any servers.
For tiny, home and experimental setups iptables  with rules such as:
-A INPUT -s 300.300.300.0/24 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 120 --name ATTACKER --rsource -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
-A syn-flood -m limit --limit 14/sec --limit-burst 30 -j RETURN
-A syn-flood -j LOG --log-prefix "Firewall: SYN-flood "
-A syn-flood -m recent --set --name ATTACKER --rsource
-A syn-flood -j DROP
... where lots of requests equal a syn-flood.
But beware, someone could exploit these rules by forging source
IPs (see source address validation ) and your server is still doing
work discarding these request packets, therefore could become
unresponsive if the request amount is very high (at least take a look
on syncookies ).
More information about the nginx