DoS attack in the wild

Igor Sysoev is at rambler-co.ru
Sat Jun 20 16:50:31 MSD 2009


On Sat, Jun 20, 2009 at 04:41:48PM +0400, Igor Sysoev wrote:

> On Sat, Jun 20, 2009 at 03:33:40PM +0300, luben karavelov wrote:
> 
> > J??r??me Loyet wrote:
> > >this attack works great on apache but I was unable, yet, to make it
> > >works on nginx (0.8.3).
> > >
> > 
> > On nginx it exhuases the available sockets. My setup is nginx-0.7.58 
> > with cofig: :
> > 
> > worker_processes  4;
> > worker_rlimit_nofile 5000;
> > events {
> >     worker_connections  2048;
> >     use epoll;
> > }
> > 
> > 
> > and without the fixes I could DoS the server with:
> > ./slowloris.pl -dns photomoment.bg -timeout 30 -num 10000 -tcpto 5
> > 
> > exhausts available sockets and the server stops replying to new requests.
> 
> 5000 and 2048 are too small values in modern Internet, I use usually
> about 200,000.
> 
> You need to increase
> 1) OS sockets limit,
> 2) OS network memory limits (buffers, etc.)

By buffers I meant not increasing send/receive buffers limits: actually,
you should decrease them. I meant a total number of memory dedicated
to the buffers by kernel.

> 3) OS files limit,
> 4) OS per process files limit (worker_rlimit_nofile),
> 5) and finally, nginx's worker_connections.
> 
> 
> -- 
> Igor Sysoev
> http://sysoev.ru/en/

-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list