DDoS protection module suggestion
姚伟斌
nbubingo at gmail.com
Fri Nov 5 15:47:40 MSK 2010
Thanks, you give me some good ideas.
2010/11/5 Eugaia <ngx.eugaia at gmail.com>
> Hi,
>
>
> On 05/11/2010 11:51, Weibin Yao wrote:
>
>> I think it's good to divide the determination from the Nginx. It's hard to
>> determine the IP by single Nginx whether is good or bad. Actually we have
>> 20+ reverse proxy Nginx servers in the front. Each Nginx doesn't known
>> others status. In our DDOS attack, the bad-IP's request rate is a little
>> higher than the normal request.
>>
> I agree it's a good idea to split the determination, and I think it might
> be good to put the lookup code inside the get handler for the variable - so
> that the lookup is only made if it is required.
>
> You might want to also think about having a setting to check for the
> existence or value of a cookie before doing the IP lookup - to avoid
> unnecessary overhead. It might also be better to handle the setting of the
> cookie value inside your Nginx module, since it would make keeping the
> generation and checking of cookie values consistent easier to manage.
>
The IP lookup overhead is very low and quick, I allocated a big hash table.
> You could perhaps handle the setting / value of the cookie inside Nginx,
> and have a system similar to Maxim's auth_request module - whereby a
> subrequest which would check the reCaptcha (or whatever) value, and return
> 200 for success or anything else for failure.
> You could have directives like :
>
> limit_access_cookie [cookie_name];
> limit_access_cookie_str [cookie_value];
>
> and you might want to add optional hashing (e.g. MD5) of the cookie string,
> to make it harder for determined hackers to get past cookie authentication -
> e.g.
>
> limit_access_cookie_hash md5;
>
> I think the overhead of checking hashed values of a cookie wouldn't be too
> high, since in most cases under DDoS, the cookie wouldn't exist, so you'd
> generally only be hashing for genuine users.
>
I think it's a new and useful feature and should develop a different module.
I will have a try after my limit_access module.
>
> Just a few ideas, anyway. Good luck with it!
>
Thank you.
>
> Marcus.
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20101105/14ecef9e/attachment-0001.html>
More information about the nginx
mailing list