That attack wasn't very distributed. ;-) Did you see if the IPs were from an ISP? If not, I'd ban the service using the Hurricane Electric BGP as a guide. At a minimum, you should be blocking the major cloud services, especially OVH. They offer free trial accounts, so of course the hackers abuse them.
If the attack was from an ISP, I can visualize a fail2ban scheme blocking the last quad not being too hard to implement . That is block xxx.xxx.xxx.0/24. Or maybe just let a typical fail2ban set up do your limiting and don't get fancy about the IP range. I try "traffic management" at the firewall first. As I discovered with "deny" in nginx, much CPU work is still done prior to ignoring the request. (I don't recall the details exactly, but there is a thread I started on the topic in this list.) Better to block via the firewall since you will be running one anyway. Original Message From: Grant Sent: Tuesday, December 13, 2016 2:01 PM To: nginx@nginx.org Reply To: nginx@nginx.org Subject: limit_req per subnet? I recently suffered DoS from a series of 10 sequential IP addresses. limit_req would have dealt with the problem if a single IP address had been used. Can it be made to work in a situation like this where a series of sequential IP addresses are in play? Maybe per subnet? - Grant _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
