DDoS protection module suggestion
pchychi at gmail.com
Fri Nov 5 07:03:53 MSK 2010
whats your email? ill contact you with a few things
Weibin Yao wrote:
> malte at 2010-11-5 3:47 wrote:
>> Redd Vinylene Wrote:
>>> Just real quick:
>>> What about one of the BSDs and pf? The latter is
>>> said to be the world's best
>>> firewall. Real elegant syntax too:
>>> block quick from
>>> pass in on $ext_if inet proto tcp from any to any
>>> port 80 keep state
>>> (max-src-conn 100, max-src-conn-rate 15/5,
>>> overload flush
>>> That takes care of all my DDoS protection needs.
>>> Some of y'all mentioned big
>>> guns though, I don't know about that.
>> OpenBSDs PF is indeed the worlds finest software based firewall, I'll be
>> the first to say. I think Linux should throw out IP tables and go for a
>> PF port, but I digress.
>> I haven't tried mitigating a big DDoS with PF, and I don't know if it
>> would fare any better once it has say 50k individual IPs to block. But
>> to me that is kind of beside the point. If I am not mistaken, a well
>> written nginx module would be the immensely helpful when faced with the
>> kind of DDoS I had on me last week.
>> If I can't find anyone interested in writing it I might have a whack at
>> it myself next time I get some spare time.
> We are facing the similar DDOS situation to you. I'm developing a
> module which can deny the individual IPs. The module can get the IPs
> with a POST request from a commander server in the intranet. If you
> have some suggestions, you can contact to me.
> The module will be here:
> https://github.com/yaoweibin/nginx_limit_access_module, but I need
> some more days to finish it.
>> Posted at Nginx Forum:
>> nginx mailing list
>> nginx at nginx.org
More information about the nginx