DDoS protection module suggestion
nbubingo at gmail.com
Fri Nov 5 05:18:13 MSK 2010
malte at 2010-11-5 3:47 wrote:
> Redd Vinylene Wrote:
>> Just real quick:
>> What about one of the BSDs and pf? The latter is
>> said to be the world's best
>> firewall. Real elegant syntax too:
>> block quick from
>> pass in on $ext_if inet proto tcp from any to any
>> port 80 keep state
>> (max-src-conn 100, max-src-conn-rate 15/5,
>> overload flush
>> That takes care of all my DDoS protection needs.
>> Some of y'all mentioned big
>> guns though, I don't know about that.
> OpenBSDs PF is indeed the worlds finest software based firewall, I'll be
> the first to say. I think Linux should throw out IP tables and go for a
> PF port, but I digress.
> I haven't tried mitigating a big DDoS with PF, and I don't know if it
> would fare any better once it has say 50k individual IPs to block. But
> to me that is kind of beside the point. If I am not mistaken, a well
> written nginx module would be the immensely helpful when faced with the
> kind of DDoS I had on me last week.
> If I can't find anyone interested in writing it I might have a whack at
> it myself next time I get some spare time.
We are facing the similar DDOS situation to you. I'm developing a module
which can deny the individual IPs. The module can get the IPs with a
POST request from a commander server in the intranet. If you have some
suggestions, you can contact to me.
The module will be here:
https://github.com/yaoweibin/nginx_limit_access_module, but I need some
more days to finish it.
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,147105,147721#msg-147721
> nginx mailing list
> nginx at nginx.org
More information about the nginx