DDoS protection module suggestion

malte nginx-forum at nginx.us
Thu Nov 4 22:47:55 MSK 2010


Redd Vinylene Wrote:
-------------------------------------------------------
> Just real quick:
> 
> What about one of the BSDs and pf? The latter is
> said to be the world's best
> firewall. Real elegant syntax too:
> 
> block quick from 
> 
> pass in on $ext_if inet proto tcp from any to any
> port 80 keep state
> (max-src-conn 100, max-src-conn-rate 15/5,
> overload  flush
> global)
> 
> That takes care of all my DDoS protection needs.
> Some of y'all mentioned big
> guns though, I don't know about that.

OpenBSDs PF is indeed the worlds finest software based firewall, I'll be
the first to say. I think Linux should throw out IP tables and go for a
PF port, but I digress.

I haven't tried mitigating a big DDoS with PF, and I don't know if it
would fare any better once it has say 50k individual IPs to block. But
to me that is kind of beside the point. If I am not mistaken, a well
written nginx module would be the immensely helpful when faced with the
kind of DDoS I had on me last week.

If I can't find anyone interested in writing it I might have a whack at
it myself next time I get some spare time.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,147105,147721#msg-147721




More information about the nginx mailing list