limit-req and greedy UAs
c0nw0nk
nginx-forum at forum.nginx.org
Mon Sep 12 12:51:54 UTC 2016
gariac Wrote:
-------------------------------------------------------
> This page has all the secret sauce, including how to limit the number
> of connections.
>
> https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-ngin
> x-plus/
>
> I set up the firewall with a higher number as a "just in case." Also
> note if you do streaming outside nginx, then you have to limit
> connections for that service in the program providing it.
>
> Mind you while I think this page has good advice, what is listed here
> won't stop a real ddos attack. The first D is for distributed, meaning
> the attack come from many IP addresses. You probably have to pay for
> one of those reverse proxy services to avoid a real ddos, but I
> personally find them them a bit creepy since I have seen hacking
> attempts come from behind them.
>
> The tips on this nginx page will limit the teenage boy in his parents
> basement, which is a more real life scenario to be attacked. But note
> that every photo you load is a request, so I wouldn't make the limit
> any lower than 5 to10 per second. You can play with the limits and
> watch the results on your own system. Just remember to:
> service nginx reload
> service nginx restart
>
> If you do fancy caching, you may have to clear your browser cache.
>
> In theory, Google page ranking takes speed into account. There are
> many websites that will evaluate your nginx set up.
> https://www.webpagetest.org/
>
> One thing to remember is nginx limits are in bytes per second, not
> bits per second. So the 512k limit in this example is really quite
> generous.
> http://www.webhostingtalk.com/showthread.php?t=1433413
>
> There are programs you can run on your server to flog nginx.
> https://www.howtoforge.com/how-to-benchmark-your-system-cpu-file-io-my
> sql-with-sysbench
>
> I did this with htperf, but sysbench is supposed to be better. Nginx
> is very efficient. Your limiting factor will probably be your server
> network connection. If you sftp files from your server, it will be at
> the maximum rate you can deliver, and this depends on time of day
> since you are sharing the pipe. I'm using a VPS that does 40mbps on a
> good day. Figure 10 users at a time and the 512kbyes per second put me
> at the limit.
>
> If you use the nginx map module, you can block download managers if
> they are honest with their user agents.
>
> http://nginx.org/en/docs/http/ngx_http_map_module.html
> http://ask.xmodulo.com/block-specific-user-agents-nginx-web-server.htm
> l
>
> Beware of creating false positives with such rules. When developing
> code, I return a 444 then search the access.log for what it found,
> just to insure I wrote the rule correctly.
>
>
>
>
>
>
> Original Message
> From: Grant
> Sent: Sunday, September 11, 2016 5:30 AM
> To: nginx at nginx.org
> Reply To: nginx at nginx.org
> Subject: Re: limit-req and greedy UAs
>
> > What looks to me to be a real resource hog that quite frankly you
> cant do much about are download managers. They open up multiple
> connections, but the rate limits apply to each individual connection.
> (this is why you want to limit the number of connections.)
>
>
> Does this mean an attacker (for example) could get around rate limits
> by opening a new connection for each request? How are the number of
> connections limited?
>
> - Grant
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
The following is a good resource also if you are having issues with slow DOS
attacks where they are trying to keep connections open for long periods of
time.
OWASP : https://www.owasp.org/index.php/SCG_WS_nginx
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269435,269473#msg-269473
More information about the nginx
mailing list