DDoS protection module suggestion

malte nginx-forum at nginx.us
Sat Nov 6 00:52:13 MSK 2010


unclepieman Wrote:
-------------------------------------------------------
> Hey Malte,
> 
> During a ddos attack, you are sending
> $possible_bad-ip to a different 
> server that just sits there and does nothing but
> Captcha. The cost for 
> showing a captcha to a host is far less than the
> impact it would have on 
> your network/servers.
> 
> also on the captcha you can implement cookie
> checks and if the host does 
> not become valid say after seeing the page
> $n_times then you can add the 
> ip to an acl block list. Layer3-4 blocking cost is
> much less than 
> layer7, same goes for if you are taking the threat
> away from your 
> production internet facing servers and forcing the
> possible bad hosts go 
> through a captcha system.
> 
> the last time i setup a network to handle 400mbps
> and 140k connection 
> (not packets) a second attack it was with the
> suggestions and topology 
> ive described, its worked without issues for me
> but perhaps you are 
> seeing something that i have not.

Yeah I'm not saying you are wrong at all. But I can vouch for that it
was a decidedly bad idea to block 50k IPs in IPtables like I did, that
made all network related activity slower than a dying turtle. And
personally, for an IP requesting 50 pages per second, I don't feel bad
at all 503:ing them instead of giving them a captcha chance. For a lower
intensity captcha I can see how your captcha system would shine though.

I'd love to see a flexible nginx module that can support either
approach. And this one that Weibin is working on sounds pretty
promising!

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,147105,148142#msg-148142




More information about the nginx mailing list