nginx limit_req and limit_conn not working to prevent DoS attack

Zhang Chao zchao1995 at gmail.com
Wed Aug 2 01:46:36 UTC 2017


Hi!

I don’t think just drop the connection is a good idea, client will never
know what happens on the server end.
However, the code 444 may help you, nginx just close the connection in this
case.

On 2 August 2017 at 09:30:01, Phani Sreenivasa Prasad (
nginx-forum at forum.nginx.org) wrote:

Hi All,

I am using nginx in our products. When I run goldeneye DoS attack script
against nginx, it is not able to defend against the attack and normal users
getting impacted.

python goldeneye.py http://<ipaddress> -w 5 -s 10000 -m random -d

we are using below nginx limit_req options but didnt help. The nginx
documentation says that, these options are used to limit the request rating
limit per key. below is some sample configuration that we tried. The
problem
is, when we use these nginx options, it still keeps nginx busy responding
with 503 or some other error code for all those requests beyond the rate
limit . Hence any genuine user when trying to access webserver during the
attack time, not getting chance to access our server and timing out or
getting 500 error.

http {
limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;

...

server {

limit_req zone=one ;
...

location /sampleurl/ {

}

(Note: also tried limit_conn options and behavior is same).



Why should nginx respond back with any error code rather it should drop
connections !! otherwise it can't protect itself against any DoS attack.
please share the thoughts.

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,275796,275796#msg-275796

_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170801/815c3ae2/attachment.html>


More information about the nginx mailing list