DDoS protection module suggestion
malte
nginx-forum at nginx.us
Thu Nov 4 22:47:55 MSK 2010
Redd Vinylene Wrote:
-------------------------------------------------------
> Just real quick:
>
> What about one of the BSDs and pf? The latter is
> said to be the world's best
> firewall. Real elegant syntax too:
>
> block quick from
>
> pass in on $ext_if inet proto tcp from any to any
> port 80 keep state
> (max-src-conn 100, max-src-conn-rate 15/5,
> overload flush
> global)
>
> That takes care of all my DDoS protection needs.
> Some of y'all mentioned big
> guns though, I don't know about that.
OpenBSDs PF is indeed the worlds finest software based firewall, I'll be
the first to say. I think Linux should throw out IP tables and go for a
PF port, but I digress.
I haven't tried mitigating a big DDoS with PF, and I don't know if it
would fare any better once it has say 50k individual IPs to block. But
to me that is kind of beside the point. If I am not mistaken, a well
written nginx module would be the immensely helpful when faced with the
kind of DDoS I had on me last week.
If I can't find anyone interested in writing it I might have a whack at
it myself next time I get some spare time.
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,147105,147721#msg-147721
More information about the nginx
mailing list