Created
December 23, 2015 08:17
-
-
Save prasetiyohadi/81e249c6b019f01e4e57 to your computer and use it in GitHub Desktop.
Mitigating DDOS Attack with Nginx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source: https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/ | |
| # DDOS characteristics: | |
| # - traffic originates from a fixed set of IP addresses, much higher than requests from forward proxies | |
| # - traffic is much higher than a human user can generate | |
| # - The User-Agent header is sometimes set to a non-standard value | |
| # - The Referer header is sometimes set to a value you can associate with the attack | |
| # Limiting the rate of requests (example: 30 connection per minute per IP or allow request only every 2 seconds) | |
| limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m; | |
| server { | |
| ... | |
| location /login.html { | |
| limit_req zone=one; | |
| ... | |
| } | |
| } | |
| # Limiting the number of connections (example: maximum number of connections is 10 per ip) | |
| limit_conn_zone $binary_remote_addr zone=addr:10m; | |
| server { | |
| ... | |
| location /store/ { | |
| limit_conn addr 10; | |
| ... | |
| } | |
| } | |
| # Closing slow connection | |
| server { | |
| client_body_timeout 5s; | |
| client_header_timeout 5s; | |
| ... | |
| } | |
| # Blacklisting IP addresses | |
| server { | |
| location / { | |
| deny 123.123.123.0/28; | |
| ... | |
| } | |
| location / { | |
| deny 123.123.123.3; | |
| deny 123.123.123.5; | |
| deny 123.123.123.7; | |
| ... | |
| } | |
| } | |
| # Whitelisting IP addresses | |
| server { | |
| location / { | |
| allow 192.168.1.0/24; | |
| deny all; | |
| ... | |
| } | |
| } | |
| # Using chaching to smooth traffic spikes | |
| # absorb much of traffic spike that results from an attack by enabling caching and setting certain chaching parameters to offload requests from backend | |
| # The **updating** parameter to the **proxy_cache_use_stale** directive tells Nginx that when it needs to fetch an update of a stale cached object, it should send just one request for the update, and continue to serve the stale object to clients who request it during the time it takes to receive the update from the backend server | |
| # The key defined by the **proxy_cache_key** directive usually consists of embedded variables (the default key, $scheme$proxy_host$request_uri, has three variables) | |
| # If the value includes the $query_string variable, then an attack that sends random query strings can cause excessive caching | |
| # We recommend that you don’t include the $query_string variable in the key unless you have a particular reason to do so | |
| # Blocking requests | |
| # - requests to a specific URL that seems to be targeted | |
| # - requests in which the User-Agent header is set to a value that does not correspond to normal client traffic | |
| # - requests in which the Referer header is set to a value that can be associated with an attack | |
| # - requests in which other headers have values that can be associated with an attack | |
| server { | |
| location /foo.php { | |
| deny all; | |
| } | |
| } | |
| server { | |
| location / { | |
| if ($http_user_agent ~* foo|bar) { | |
| return 403; | |
| } | |
| ... | |
| } | |
| } | |
| # Limiting the connections to background servers | |
| upstream website { | |
| server 192.168.100.1:80 max_conns=200; | |
| server 192.168.100.2:80 max_conns=200; | |
| queue 10 timeout=30s; | |
| } | |
| # Dealing with range based attacks | |
| # See gist https://gist.github.com/prasetiyohadi/b55a79a83c8973856c6f | |
| # Handling high loads | |
| # See gist https://gist.github.com/prasetiyohadi/c24112871943aa21d1bc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment