A Nginx Upstream DDoS Blackhole how does it work ?

c0nw0nk nginx-forum at forum.nginx.org
Thu Jul 27 05:55:08 UTC 2017


So I was looking at a upstream that has been flooded from multiple locations
and read that you can create what is called a blackhole within the upstream
what helps with the DDoS scenario.

Here Is My upstream config :

upstream web_rack {
server 127.0.0.1:9000 weight=1 fail_timeout=4;
server 127.0.0.1:9001 weight=1 fail_timeout=4;
server 127.0.0.1:9002 weight=1 fail_timeout=4;
server 127.0.0.1:9003 weight=1 fail_timeout=4;
server 127.0.0.1:9004 weight=1 fail_timeout=4;
server 127.0.0.1:9005 weight=1 fail_timeout=4;
server 127.0.0.1:9006 weight=1 fail_timeout=4;
server 127.0.0.1:9007 weight=1 fail_timeout=4;
server 127.0.0.1:9008 weight=1 fail_timeout=4;
server 127.0.0.1:9009 weight=1 fail_timeout=4;
server 127.0.0.1:9010 weight=1 fail_timeout=4;
least_conn;
}



My question is how does a blackhole in the upstream help and work... is
setting the "DOWN" state a permament 503 for all timed out upstream requests
?

And here is the upstream i read can act as a blackhole ( itpp2012 gets
credit for this )

A simple configuration like:
upstream myLoadBalancer {
server 192.168.169.22:80 weight=1 fail_timeout=5;
server 192.168.169.17:80 weight=1 fail_timeout=5;
server 192.168.169.26:80 weight=1 fail_timeout=5;
server 192.168.169.23:80 weight=1 fail_timeout=5;
server 192.168.169.27:80 weight=1 fail_timeout=5 down;
server 192.168.169.28:80 weight=1 fail_timeout=5 down;
least_conn;
}
upstream myLoadBalancerDDOS {
server 127.0.0.1:8081 weight=1 fail_timeout=5;
server 127.0.0.1:8082 weight=1 fail_timeout=5;
server 127.0.0.1:8083 weight=1 fail_timeout=5 down;
server 127.0.0.1:8084 weight=1 fail_timeout=5 down;
server 127.0.0.1:8085 weight=1 fail_timeout=5 down;
server 192.168.169.254:80 weight=1 fail_timeout=5 down;
least_conn;
}

In myLoadBalancer you have set 2 extra backends ready for expanding
capacity.
In myLoadBalancerDDOS you have set 2 backends (or internal redirects to 503
location blocks) to deal with attacks, a backend (...169.254:80) to serve as
a blackhole and 3 more for expanding capacity.

Of course you can set as many backends and their destinations as you like,
other webservers, faster blackholes, offloading addresses, swap between
cloud providers, etc...

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275671,275671#msg-275671



More information about the nginx mailing list