limit-req and greedy UAs

c0nw0nk nginx-forum at forum.nginx.org
Mon Sep 12 12:51:54 UTC 2016


gariac Wrote:
-------------------------------------------------------
> ‎This page has all the secret sauce, including how to limit the number
> of connections. 
> 
> https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-ngin
> x-plus/
> 
> I set up the firewall with a higher number as a "just in case." Also
> note if you do streaming outside nginx, then you have to limit
> connections for that service in the program providing it. 
> 
> Mind you while I think this page has good advice, what is listed here
> won't stop a real ddos attack. The first D is for distributed, meaning
> the attack come from many IP addresses. You probably have to pay for
> one of those reverse proxy services to avoid a real ddos, but I
> personally find them them a bit creepy since I have seen hacking
> attempts come from behind them. 
> 
> The tips on this nginx page will limit the teenage boy in his parents
> basement, which is a more real life scenario to be attacked. But note
> that every photo you load is a request, so I wouldn't make the limit
> ‎any lower than 5 to10 per second. You can play with the limits and
> watch the results on your own system. Just remember to: 
> service nginx reload
> service nginx restart
> 
> If you do fancy caching, you may have to clear your browser cache.
> 
> In theory, Google page ranking takes speed into account.  There are
> many websites that will evaluate your nginx set up. 
> https://www.webpagetest.org/
> 
> One thing to remember is nginx limits are in bytes per second, not
> bits per second. So the 512k limit in this example is really quite
> generous.
>http://www.webhostingtalk.com/showthread.php?t=1433413
> 
> There are programs you can run on your server to flog nginx.
> https://www.howtoforge.com/how-to-benchmark-your-system-cpu-file-io-my
> sql-with-sysbench
> 
> I did this with htperf, but sysbench is supposed to be better. Nginx
> is very efficient. Your limiting factor will probably be your server
> network connection. If you sftp files from your server, it will be at
> the maximum rate you can deliver, and this depends on time of day
> since you are sharing the pipe. I'm using a VPS that does 40mbps on a
> good day. Figure 10 users at a time and the 512kbyes per second put me
> at the limit. 
> 
> If you use the nginx map module, you can block download managers if
> they are honest with their user agents. 
> 
> http://nginx.org/en/docs/http/ngx_http_map_module.html
> http://ask.xmodulo.com/block-specific-user-agents-nginx-web-server.htm
> l
> 
> Beware of creating false positives with such rules. When developing
> code, I return a 444 then search the access.log for what it found,
> just to insure I wrote the rule correctly.
> 
> 
> 
> 
> 
> 
>   Original Message  
> From: Grant
> Sent: Sunday, September 11, 2016 5:30 AM
> To: nginx at nginx.org
> Reply To: nginx at nginx.org
> Subject: Re: limit-req and greedy UAs
> 
> > What looks to me to be a real resource hog that quite frankly you
> cant do much about are download managers. They open up multiple
> connections, but the rate limits apply to each individual connection.
> (this is why you want to limit the number of connections.)
> 
> 
> Does this mean an attacker (for example) could get around rate limits
> by opening a new connection for each request? How are the number of
> connections limited?
> 
> - Grant
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


The following is a good resource also if you are having issues with slow DOS
attacks where they are trying to keep connections open for long periods of
time.

OWASP : https://www.owasp.org/index.php/SCG_WS_nginx

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269435,269473#msg-269473



More information about the nginx mailing list