Protection against massiv requests from single server / ip

W-Mark Kubacki wmark+nginx at hurrikane.de
Sun Jan 31 15:35:52 MSK 2010


2010/1/31  <adk1601 at gmx.de>:
>
> What are your setups against a lot of request from single servers?

For larger installations firewalls or properly configured routers
before any servers.

For tiny, home and experimental setups iptables [1] with rules such as:
-A INPUT -s 300.300.300.0/24 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 120 --name ATTACKER --rsource -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
-A syn-flood -m limit --limit 14/sec --limit-burst 30 -j RETURN
-A syn-flood -j LOG --log-prefix "Firewall: SYN-flood "
-A syn-flood -m recent --set --name ATTACKER --rsource
-A syn-flood -j DROP
... where lots of requests equal a syn-flood.
    But beware, someone could exploit these rules by forging source
IPs (see source address validation [2]) and your server is still doing
work discarding these request packets, therefore could become
unresponsive if the request amount is very high (at least take a look
on syncookies [3]).

-- 
W-Mark Kubacki
http://mark.ossdl.de/

[1] http://www.netfilter.org/
[2] http://tools.ietf.org/wg/savi/
[3] http://en.wikipedia.org/wiki/SYN_cookies



More information about the nginx mailing list