gariac Wrote: ------------------------------------------------------- > This page has all the secret sauce, including how to limit the number > of connections. > > https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-ngin > x-plus/ > > I set up the firewall with a higher number as a "just in case." Also > note if you do streaming outside nginx, then you have to limit > connections for that service in the program providing it. > > Mind you while I think this page has good advice, what is listed here > won't stop a real ddos attack. The first D is for distributed, meaning > the attack come from many IP addresses. You probably have to pay for > one of those reverse proxy services to avoid a real ddos, but I > personally find them them a bit creepy since I have seen hacking > attempts come from behind them. > > The tips on this nginx page will limit the teenage boy in his parents > basement, which is a more real life scenario to be attacked. But note > that every photo you load is a request, so I wouldn't make the limit > any lower than 5 to10 per second. You can play with the limits and > watch the results on your own system. Just remember to: > service nginx reload > service nginx restart > > If you do fancy caching, you may have to clear your browser cache. > > In theory, Google page ranking takes speed into account. There are > many websites that will evaluate your nginx set up. > https://www.webpagetest.org/ > > One thing to remember is nginx limits are in bytes per second, not > bits per second. So the 512k limit in this example is really quite > generous. > http://www.webhostingtalk.com/showthread.php?t=1433413 > > There are programs you can run on your server to flog nginx. > https://www.howtoforge.com/how-to-benchmark-your-system-cpu-file-io-my > sql-with-sysbench > > I did this with htperf, but sysbench is supposed to be better. Nginx > is very efficient. Your limiting factor will probably be your server > network connection. If you sftp files from your server, it will be at > the maximum rate you can deliver, and this depends on time of day > since you are sharing the pipe. I'm using a VPS that does 40mbps on a > good day. Figure 10 users at a time and the 512kbyes per second put me > at the limit. > > If you use the nginx map module, you can block download managers if > they are honest with their user agents. > > http://nginx.org/en/docs/http/ngx_http_map_module.html > http://ask.xmodulo.com/block-specific-user-agents-nginx-web-server.htm > l > > Beware of creating false positives with such rules. When developing > code, I return a 444 then search the access.log for what it found, > just to insure I wrote the rule correctly. > > > > > > > Original Message > From: Grant > Sent: Sunday, September 11, 2016 5:30 AM > To: nginx@nginx.org > Reply To: nginx@nginx.org > Subject: Re: limit-req and greedy UAs > > > What looks to me to be a real resource hog that quite frankly you > cant do much about are download managers. They open up multiple > connections, but the rate limits apply to each individual connection. > (this is why you want to limit the number of connections.) > > > Does this mean an attacker (for example) could get around rate limits > by opening a new connection for each request? How are the number of > connections limited? > > - Grant > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx
The following is a good resource also if you are having issues with slow DOS attacks where they are trying to keep connections open for long periods of time. OWASP : https://www.owasp.org/index.php/SCG_WS_nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269435,269473#msg-269473 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx