21 Aug

Struggle with DDOS and DOS at nginx level

FreeBSD, network card: Intel fxp, port: 100Мбит, polling, http accept-filter.

   in sysctl:
           sysctl kern.maxfiles=90000
           sysctl kern.maxfilesperproc=80000
           sysctl net.inet.tcp.blackhole=2
           sysctl net.inet.udp.blackhole=1
           sysctl kern.polling.burst_max=1000
           sysctl kern.polling.each_burst=50
           sysctl kern.ipc.somaxconn=32768
           sysctl net.inet.tcp.msl=3000
           sysctl net.inet.tcp.maxtcptw=40960
           sysctl net.inet.tcp.nolocaltimewait=1
           sysctl net.inet.ip.portrange.first=1024
           sysctl net.inet.ip.portrange.last=65535
           sysctl net.inet.ip.portrange.randomized=0

in nginx configuration:

           worker_processes 1;
           worker_rlimit_nofile 80000;
           events {
               worker_connections 50000;
           }

           server_tokens off;
           log_format IP `$remote_addr';
           reset_timedout_connection on;

           listen  xx.xx.xx.xx:80  default rcvbuf=8192 sndbuf=16384 backlog=32000 accept_filter=httpready;

In the following way it is possible to realize filtration of url, in example for POST
index.php?action=login which is with empty referral.

           set $add 1;
           location /index.php {
                   limit_except GET POST {
                        deny all;
               }
               set $ban "";
               if ($http_referer = "" ) {set $ban $ban$add;}
               if ($request_method = POST ) {set $ban $ban$add;}
               if ($query_string = "action=login" ){set $ban $ban$add;}
               if ($ban = 111 ) {
                   access_log /var/log/[133]nginx/ban IP;
                   return 404;
               }
               proxy_pass http://127.0.0.1:8000; #here is a patch
           }

Further we cut it at pf level – loaded into IP table, hosts from which came too many hits.
PF with tables works very quickly. Sources for parsing of logs (ddetect) you can find on http://www.comsys.com.ua/files
Then Cron used once in a minute, to add into ip tables new IPs from a log.
25 Mbyte DDoS, which cuts IPs, the rests fall on nginx which by it is criterion pass IPs and the rests passed on the apache – LA 0, site works.

3 Responses to “Struggle with DDOS and DOS at nginx level”

  1. 1
    guest Says:

    I did not understand anything from your post,

    what are those sysctl configurations for?

    and what’s special in your nginx setup?

  2. 2
    avatar Says:

    sysctl is direct access into the linux kernel.
    Nginx is very fast and light HTTP server, I think it is the fastest server up to now. this configuration defend your website against DDOS and DOS attacks. Of course some dedicated appliances for this, can do better job, but they also may cost a lot of money, and this solution is much much chipper.

  3. 3
    Faisal Ghulam Says:

    Can you define in detail how IP addresses are parsing from Nginx to Pf for Blocking it.

oneroot.ca copyright © 2014 | ONEROOT INC. Linux IT Support in Winnipeg. eMail: support at oneroot.ca