DDoS protection module suggestion

Weibin Yao nbubingo at gmail.com
Fri Nov 5 12:51:51 MSK 2010 

Payam Chychi at 2010-11-5 15:30 wrote:
> Hey,
>
> Instead of a 503, i would redirect them localhost:81 and allow them to 
> validly themselves via captcha system in case its a false positive.
Maybe I could add extra variable like this:
if ($limit_access_deny) {
    add_header Location http://xxxx:81/;
    return 302;
}
> Like above, if a host logs the same src_ip more than $x times in $xy 
> min, u should be moving the acl up the chain, your sub-distribution, 
> distribution cor or even edge routers.
I think it's good to divide the determination from the Nginx. It's hard 
to determine the IP by single Nginx whether is good or bad. Actually we 
have 20+ reverse proxy Nginx servers in the front. Each Nginx doesn't 
known others status. In our DDOS attack, the bad-IP's request rate is a 
little higher than the normal request.

We decide to collect the log together and analyze it. I don't know the 
payload of log collection. Maybe it's too high. We have not done the 
performance test yet. Or we should do log analysis distributed in each 
server and then collect the results together.
>
> my 2 cents
> -Payam
>
>
> malte wrote:
>> Weibin Yao Wrote:
>>  
>>> We are facing the similar DDOS situation to you.
>>> I'm developing a module which can deny the individual IPs. The 
>>> module can
>>> get the IPs with a POST request from a commander server in the
>>> intranet. If you have some suggestions, you can contact to me.
>>>
>>> The module will be here: 
>>> https://github.com/yaoweibin/nginx_limit_access_mo
>>> dule, but I need some more days to finish it.
>>>     
>>
>>
>> Wonderful!
>> Being able to interrogate the server for a list of bad IPs is an
>> excellent idea, it would allow people to make their own firewall-block
>> scripts etc.
>>
>> The main suggestion I have is that the module supports this kind of
>> rule:
>> If an IP has requested more than X pages in the last Y seconds, then
>> serve only 503 errors to that IP for the next Z seconds, and use at most
>> W megabytes of RAM for the bad-IP pool.
>>
>> Posted at Nginx Forum: 
>> http://forum.nginx.org/read.php?2,147105,147863#msg-147863
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://nginx.org/mailman/listinfo/nginx
>>
>>   
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
>


-- 
Weibin Yao

More information about the nginx mailing list