📜 ⬆️ ⬇️

Protection against DDOS attacks with random arguments using Nginx

I met with a new type of botnet. If the old hollowed only in the main, then the new one acts differently. It sends multiple requests of the form.
GET someurl /?t1555ss5326=5326 , where someurl is the script found by the php bot.
But if the attacked site supports CNC, then such requests to it should be absent in principle. CNC is now the de facto standard, so you can safely cut off such requests by logging IP bots.
Nginx is very convenient for this, and its variable is_args , which matters "?", If the arguments are in the URI. The basic design looks like this:

if ($is_args = "?") {
return 403 444;

Very simple and beautiful, right?
This is what LA looks like after enabling this protection:
load average: 1.50, 3.09, 6.96
The current botnet of ~ 20,000 zombies make 5-8k simultaneous requests.


Source: https://habr.com/ru/post/104601/

All Articles