DDoS protection module suggestion
Payam Chychi
pchychi at gmail.com
Fri Nov 5 20:02:44 MSK 2010
Hey Malte,
During a ddos attack, you are sending $possible_bad-ip to a different
server that just sits there and does nothing but Captcha. The cost for
showing a captcha to a host is far less than the impact it would have on
your network/servers.
also on the captcha you can implement cookie checks and if the host does
not become valid say after seeing the page $n_times then you can add the
ip to an acl block list. Layer3-4 blocking cost is much less than
layer7, same goes for if you are taking the threat away from your
production internet facing servers and forcing the possible bad hosts go
through a captcha system.
the last time i setup a network to handle 400mbps and 140k connection
(not packets) a second attack it was with the suggestions and topology
ive described, its worked without issues for me but perhaps you are
seeing something that i have not.
Regards,
-Payam
malte wrote:
> unclepieman Wrote:
> -------------------------------------------------------
>
>> Hey,
>>
>> Instead of a 503, i would redirect them
>> localhost:81 and allow them to
>> validly themselves via captcha system in case its
>> a false positive.
>> Like above, if a host logs the same src_ip more
>> than $x times in $xy
>> min, u should be moving the acl up the chain, your
>> sub-distribution,
>> distribution cor or even edge routers.
>>
>
> It would be nice to have it configurable either way, but when you are
> hit with a 50k bot attack and you have IPs requesting 50 pages per
> second, you want to put them down immediately, not spend server time
> serving them a dynamic captcha page.
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,147105,148021#msg-148021
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
>
>
More information about the nginx
mailing list