DDoS protection module suggestion

[unclepieman]

Hi,

Agreed, what Ive done in the past to get around that issue is to setup a
span port on our edge so it takes a packet and mirrors it to another
server, say nic1. You run a script on that server that does all the
number crunching, based on what it sees, you can have your script modify
routing on the edge router, inject iptables rules into your server or
any gw devices above the server. You can then not only provide a
layer3-4 protection (while taking away the immediate threat away) but
now can allow the attack to go on for say 1-5 min, monitor the uri and
log files and create a behavior for the traffic which then you can block
dirty and allow good traffic back in.

having a feedback loop system allows you to get rid of any false
positives. If say a good ip is somehow redirected to localhost:81 (where
there is a valid link with captcha saying "if you are in fact a GOOD
user, answer the question and click [go]". Then have that action inject
a cookie into the session which then gets matched at the edge and passes
down to the proper segment.

there are dozens of ways to mitigate the issue, just depends on how you
want to go about it. Ive worked on designing advance ddos mitigation
networks/software and server based appliances.

Having said this, i do think that nginx requires a native ddos
mitigation module, it would save a lot of time and effort in the long
run! =)

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,147105,147393#msg-147393