Patch against server DOS

double nginx-forum at nginx.us
Fri Aug 15 18:16:12 UTC 2014


Hello,

My NGINX got a denial of service. The machine proxied large files using
"proxy_store".
Someone was creating an artifical request for a rarely used file, causing
NGINX to download a big file from upstream, then he immediately closed the
connection. NGINX continued to download this file.
Then he did the same again with some other rarely used file.
Within a couple of minutes I had thousands of connections, downloading huge
files from the backend.

My solution was, to add a small feature:
proxy_ignore_client_abort    10%;
If the server did not download at least 10% from the backend-machine, he
closes the connection to the backend as soon as the client closed the
connection to the server, even if "proxy_store" was used.

The patch:
http://doppelbauer.name/abort-upstream-161.patch

Thanks a lot
Markus

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252594,252594#msg-252594



More information about the nginx mailing list