Case NGINX: How to counter DDoS attacks
The main goal of our work is to make IaaS simple and straightforward, even for those who have not experienced IT. Therefore, we carry out continuous optimization of all systems and talk about what we managed to do in our blog on Habré.
A couple of examples:
Today we decided to take a look at Western experience and briefly analyze the topic of load balancing. We were attracted by a note on the topic of working with DDoS attacks.
')
/ Photo by Dennis van Zuijlekom / CC
If you start with terminology, then DDoS can be defined as an attack on an IT system in order to bring it to a state in which it will be impossible to service requests with an adequate level of quality. It employs a quantitative impact, which is produced by special bots that use this or that vulnerability for DDoS attacks.
Weak system readiness for handling a large number of requests or paralleling connections and load balancing can be such a vulnerability. In the case of the beginning of the simplest DDoS attack, the traffic to your system will come from certain addresses, which will generate an anomalous number of requests and connections. In addition to the intensity of the traffic, the attack can be calculated using the non-standard User-Agent headers.
NGINX allows you to manage traffic by routing it and limiting the frequency of incoming requests for average values ​​typical of people (and not bots). In addition, you can set the fork number of connections that can come from a single IP.
An additional possibility is the breaking of connections that are practically not used, but remain open for a substantial length of time. This way you can protect your system from Slowloris attacks.
A tougher measure would be to blacklist IPs using the deny directive. After this, NGINX will no longer process requests from this address. The alternative is to set the range of allowed IPs.
/ Photo: Joe The Goat Farmer / CC
To prevent traffic spikes, you can use the caching feature. NGINX will be able to update obsolete objects as needed, and thereby smooth the load peaks on your system.
Additionally, you can configure filters by URL (for the case when a certain part of your resource is attacked) and User-Agent headers (if you would like to cut off anomalous traffic that is not similar to the usual user behavior). There is still the possibility of limiting the number of connections at the level of internal routing between servers.
NGINX internal tools allow you to analyze various metrics of incoming traffic. Monitoring is also available using the API.
A couple of examples:
Today we decided to take a look at Western experience and briefly analyze the topic of load balancing. We were attracted by a note on the topic of working with DDoS attacks.
')
/ Photo by Dennis van Zuijlekom / CC
If you start with terminology, then DDoS can be defined as an attack on an IT system in order to bring it to a state in which it will be impossible to service requests with an adequate level of quality. It employs a quantitative impact, which is produced by special bots that use this or that vulnerability for DDoS attacks.
Weak system readiness for handling a large number of requests or paralleling connections and load balancing can be such a vulnerability. In the case of the beginning of the simplest DDoS attack, the traffic to your system will come from certain addresses, which will generate an anomalous number of requests and connections. In addition to the intensity of the traffic, the attack can be calculated using the non-standard User-Agent headers.
NGINX allows you to manage traffic by routing it and limiting the frequency of incoming requests for average values ​​typical of people (and not bots). In addition, you can set the fork number of connections that can come from a single IP.
An additional possibility is the breaking of connections that are practically not used, but remain open for a substantial length of time. This way you can protect your system from Slowloris attacks.
A tougher measure would be to blacklist IPs using the deny directive. After this, NGINX will no longer process requests from this address. The alternative is to set the range of allowed IPs.
/ Photo: Joe The Goat Farmer / CC
To prevent traffic spikes, you can use the caching feature. NGINX will be able to update obsolete objects as needed, and thereby smooth the load peaks on your system.
Additionally, you can configure filters by URL (for the case when a certain part of your resource is attacked) and User-Agent headers (if you would like to cut off anomalous traffic that is not similar to the usual user behavior). There is still the possibility of limiting the number of connections at the level of internal routing between servers.
NGINX internal tools allow you to analyze various metrics of incoming traffic. Monitoring is also available using the API.
Source: https://habr.com/ru/post/275107/
All Articles