DoS attack in the wild

luben karavelov luben at unixsol.org
Fri Jun 19 23:09:34 MSD 2009


luben karavelov wrote:
> A DoS attack against number of http servers is available and has hit 
> slashdot today: 
> http://it.slashdot.org/story/09/06/19/1243203/Attack-On-a-Significant-Flaw-In-Apache-Released 
> 
> 
> Out of the box nginx is also vulnerable (I have tested it on latest 0.7 
> installation). A quick fix for the vulnerability follows:
> 
> Put in "http" section:
> 
> client_body_timeout 10;
> client_header_timeout 10;
> keepalive_timeout 10;
> send_timeout 10;
> limit_zone limit_per_ip $binary_remote_addr 1m;
> 
> and put in "server" section :
> 
> limit_conn limit_per 16;
> 
> The last 2 configuration lines are for limiting connections per client 
> IP. This fist lines are same sane connection timeouts.
> 
> Best regards and keep the great work!
> 

If you process some large uploads or the page generation gets over 10 
seconds you could raise the timeouts. Actually the fix is the last 
lines: limiting the connection number per client IP

Luben





More information about the nginx mailing list