DDoS protection module suggestion

Payam Chychi pchychi at gmail.com
Fri Nov 5 20:02:44 MSK 2010

Hey Malte,

During a ddos attack, you are sending $possible_bad-ip to a different 
server that just sits there and does nothing but Captcha. The cost for 
showing a captcha to a host is far less than the impact it would have on 
your network/servers.

also on the captcha you can implement cookie checks and if the host does 
not become valid say after seeing the page $n_times then you can add the 
ip to an acl block list. Layer3-4 blocking cost is much less than 
layer7, same goes for if you are taking the threat away from your 
production internet facing servers and forcing the possible bad hosts go 
through a captcha system.

the last time i setup a network to handle 400mbps and 140k connection 
(not packets) a second attack it was with the suggestions and topology 
ive described, its worked without issues for me but perhaps you are 
seeing something that i have not.


malte wrote:
> unclepieman Wrote:
> -------------------------------------------------------
>> Hey,
>> Instead of a 503, i would redirect them
>> localhost:81 and allow them to 
>> validly themselves via captcha system in case its
>> a false positive.
>> Like above, if a host logs the same src_ip more
>> than $x times in $xy 
>> min, u should be moving the acl up the chain, your
>> sub-distribution, 
>> distribution cor or even edge routers.
> It would be nice to have it configurable either way, but when you are
> hit with a 50k bot attack and you have IPs requesting 50 pages per
> second, you want to put them down immediately, not spend server time
> serving them a dynamic captcha page.
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,147105,148021#msg-148021
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list