DDoS protection module suggestion
malte
nginx-forum at nginx.us
Sat Nov 6 00:52:13 MSK 2010
unclepieman Wrote:
-------------------------------------------------------
> Hey Malte,
>
> During a ddos attack, you are sending
> $possible_bad-ip to a different
> server that just sits there and does nothing but
> Captcha. The cost for
> showing a captcha to a host is far less than the
> impact it would have on
> your network/servers.
>
> also on the captcha you can implement cookie
> checks and if the host does
> not become valid say after seeing the page
> $n_times then you can add the
> ip to an acl block list. Layer3-4 blocking cost is
> much less than
> layer7, same goes for if you are taking the threat
> away from your
> production internet facing servers and forcing the
> possible bad hosts go
> through a captcha system.
>
> the last time i setup a network to handle 400mbps
> and 140k connection
> (not packets) a second attack it was with the
> suggestions and topology
> ive described, its worked without issues for me
> but perhaps you are
> seeing something that i have not.
Yeah I'm not saying you are wrong at all. But I can vouch for that it
was a decidedly bad idea to block 50k IPs in IPtables like I did, that
made all network related activity slower than a dying turtle. And
personally, for an IP requesting 50 pages per second, I don't feel bad
at all 503:ing them instead of giving them a captcha chance. For a lower
intensity captcha I can see how your captcha system would shine though.
I'd love to see a flexible nginx module that can support either
approach. And this one that Weibin is working on sounds pretty
promising!
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,147105,148142#msg-148142
More information about the nginx
mailing list