Inexpensive way to protect against HTTP flood
The other day, as always, not at the right moment, a DDoS attack on one of the sites hosted on my server. DDoS attacks are different, this time the attackers launched HTTP flood.
Flood was not so heavy in traffic as intensive in the number of requests. And, unfortunately, requests are not of the same type, but constantly changing. Everything that I had at that time from software protection could not effectively cope with such a flood, so I had to use iron solutions.
I think iron solutions are the right choice, but they are not available to everyone and not always, and many of the attacks, as shown by my practice, successfully beat off with the correct use of available software. Besides, I wanted to experiment a bit.
')
After a detailed study of the possibilities of the nginx + Apache bundle that I have been using for a long time, and the documentation for nginx, a solution based on the ngx_http_limit_req_module module was born.
This module allows you to limit the number of requests for a given session or from a single address. I will not describe in detail its capabilities, the documentation is available to everyone.
I checked whether nginx was compiled with the ngx_http_limit_req_module module and added the following lines to the server configuration file:
All bots that “fired up” the server with a frantic frequency began to receive an http-error 503 in response. And, for example, select IP bots from the logs:
And after that, putting them into the firewall table (I have FreeBSD and IPFW) is nowhere easier, as well as putting it all in a crontab.
That's all. I do not pretend to the originality of the idea, thanks to Igor Sysoev for implementing nginx and this module to it.
I hope this quite affordable way to protect against HTTP flood that is dynamic and intensive in terms of requests will be useful to you.
Flood was not so heavy in traffic as intensive in the number of requests. And, unfortunately, requests are not of the same type, but constantly changing. Everything that I had at that time from software protection could not effectively cope with such a flood, so I had to use iron solutions.
I think iron solutions are the right choice, but they are not available to everyone and not always, and many of the attacks, as shown by my practice, successfully beat off with the correct use of available software. Besides, I wanted to experiment a bit.
')
After a detailed study of the possibilities of the nginx + Apache bundle that I have been using for a long time, and the documentation for nginx, a solution based on the ngx_http_limit_req_module module was born.
This module allows you to limit the number of requests for a given session or from a single address. I will not describe in detail its capabilities, the documentation is available to everyone.
What I've done
I checked whether nginx was compiled with the ngx_http_limit_req_module module and added the following lines to the server configuration file:
http {<br> # , . <br> # . <br> <br> limit_req_zone $binary_remote_addr zone=one:10m rate=2r/s;<br> <br> # "one" <br> # 10 <br> # 2 . <br> <br> # <br> # .<br> <br> ...<br> <br> # .<br> server {<br><br> ...<br><br> location / {<br> # (zone) <br> # (burst). <br> # , , <br> # . <br> # , <br> # . <br> # "Service unavailable" (503).<br> <br> limit_req zone=one burst=4;<br> } <br><br> * This source code was highlighted with Source Code Highlighter .* sample configuration and explanation from the module documentation page
What i got
All bots that “fired up” the server with a frantic frequency began to receive an http-error 503 in response. And, for example, select IP bots from the logs:
tail -1000 /var/log/nginx-access.log | grep "503" | cut -f1 -d "" | sort -u
And after that, putting them into the firewall table (I have FreeBSD and IPFW) is nowhere easier, as well as putting it all in a crontab.
That's all. I do not pretend to the originality of the idea, thanks to Igor Sysoev for implementing nginx and this module to it.
I hope this quite affordable way to protect against HTTP flood that is dynamic and intensive in terms of requests will be useful to you.
Source: https://habr.com/ru/post/67685/
All Articles