21 Aug

Struggle with DDOS and DOS at nginx level

FreeBSD, network card: Intel fxp, port: 100Мбит, polling, http accept-filter.

 

   in sysctl:
           sysctl kern.maxfiles=90000
           sysctl kern.maxfilesperproc=80000
           sysctl net.inet.tcp.blackhole=2
           sysctl net.inet.udp.blackhole=1
           sysctl kern.polling.burst_max=1000
           sysctl kern.polling.each_burst=50
           sysctl kern.ipc.somaxconn=32768
           sysctl net.inet.tcp.msl=3000
           sysctl net.inet.tcp.maxtcptw=40960
           sysctl net.inet.tcp.nolocaltimewait=1
           sysctl net.inet.ip.portrange.first=1024
           sysctl net.inet.ip.portrange.last=65535
           sysctl net.inet.ip.portrange.randomized=0

 

in nginx configuration:
 

           worker_processes 1;
           worker_rlimit_nofile 80000;
           events {
               worker_connections 50000;
           }

           server_tokens off;
           log_format IP `$remote_addr';
           reset_timedout_connection on;

           listen  xx.xx.xx.xx:80  default rcvbuf=8192 sndbuf=16384 backlog=32000 accept_filter=httpready;

 

In the following way it is possible to realize filtration of url, in example for POST
index.php?action=login which is with empty referral.

 

           set $add 1;
           location /index.php {
                   limit_except GET POST {
                        deny all;
               }
               set $ban "";
               if ($http_referer = "" ) {set $ban $ban$add;}
               if ($request_method = POST ) {set $ban $ban$add;}
               if ($query_string = "action=login" ){set $ban $ban$add;}
               if ($ban = 111 ) {
                   access_log /var/log/[133]nginx/ban IP;
                   return 404;
               }
               proxy_pass http://127.0.0.1:8000; #here is a patch
           }

 

Further we cut it at pf level – loaded into IP table, hosts from which came too many hits.
PF with tables works very quickly. Sources for parsing of logs (ddetect) you can find on http://www.comsys.com.ua/files
Then Cron used once in a minute, to add into ip tables new IPs from a log.
25 Mbyte DDoS, which cuts IPs, the rests fall on nginx which by it is criterion pass IPs and the rests passed on the apache – LA 0, site works.

This entry was posted on Friday, August 21st, 2009 at 1:49 pm and is filed under nginx. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Install Apache with PHP and MySQL on Fedora »

2 Responses to “Struggle with DDOS and DOS at nginx level”

  1. 1
    guest Says:

    I did not understand anything from your post,

    what are those sysctl configurations for?

    and what’s special in your nginx setup?

    November 9th, 2009 at 6:46 pm
  2. 2
    avatar Says:

    sysctl is direct access into the linux kernel.
    Nginx is very fast and light HTTP server, I think it is the fastest server up to now. this configuration defend your website against DDOS and DOS attacks. Of course some dedicated appliances for this, can do better job, but they also may cost a lot of money, and this solution is much much chipper.

    November 13th, 2009 at 5:57 pm

Leave a Reply

oneroot.ca copyright © 2009 | ONEROOT INC. Linux and Mac Support in Winnipeg. eMail: support at oneroot.ca