Shulou(Shulou.com)05/31 Report--

This article focuses on "how to protect against CC attacks through the ngx_lua module". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to protect against CC attacks through ngx_lua module.

Preface

CC attack (ChallengeCollapsar) is one of the common website application layer attacks, which aims to consume server resources and reduce the efficiency of business response; extreme cases will make the site unable to provide services normally.

First, service deployment 0. Environment

a. System

CentOSLinux release 7.5.1804 (Core)

b. Resource storage directory

Mkdir/root/ngx_lua

c. Request

All kinds of compilation and installation related dependencies and errors should be solved by google.

D.NGX _ Lua Mandarin

Https://github.com/openresty/lua-nginx-module#installation

e. Prepare for

Cd/root/ngx_lua

1.Lua

Wget http://www.lua.org/ftp/lua-5.3.4.tar.gz

Tarzxf lua-5.3.4.tar.gz

Cdlua-5.3.4

Makelinux test

Cd..

2.LuaJIT2.1

Wget http://luajit.org/download/LuaJIT-2.1.0-beta3.tar.gz

Tarzxvf LuaJIT-2.1.0-beta3.tar.gz

CdLuaJIT-2.1.0-beta3

# specify installation directory

MakePREFIX=/usr/local/luajit2

Makeinstall PREFIX=/usr/local/luajit2

Cd..

3.NDK

Wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.tar.gz

Tarzxvf v0.3.1rc1.tar.gz

4.LUA_NGX

Wget https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz

Tarzxvf v0.10.13.tar.gz

5.LUA_RESTY_REDIS

Wget-O "lua-resty-redis-master.zip" https://codeload.github.com/openresty/lua-resty-redis/zip/master

Unziplua-resty-redis-master.zip

Cdlua-resty-redis-master

Makeinstall PREFIX=/usr/local/lua-redis

Cd..

6.REDIS

Wget http://download.redis.io/releases/redis-4.0.9.tar.gz

Tarzxvf redis-4.0.9.tar.gz

Cdredis-4.0.9

# copy profile template

Cpredis.conf / etc/

# compile and install

MakePREFIX=/usr/local/redis

Makeinstall PREFIX=/usr/local/redis

# if you try to run it, you can consider packaging it as a backend service or hosting it to supervisor.

Cd/usr/local/redis/bin

. / redis-server/etc/redis.conf

7.Nginx

# add NGINX users

Useradd-s / sbin/nologin www

# download, extract and enter the directory

Wget http://nginx.org/download/nginx-1.13.12.tar.gz

Tarzxvf nginx-1.13.12.tar.gz

Cdnginx-1.13.12

# add environment variables

ExportLUAJIT_LIB=/usr/local/luajit2/lib

ExportLUAJIT_INC=/usr/local/luajit2/include/luajit-2.1

# compile and install

. / configure--user=www-- group=www-- prefix=/usr/local/nginx-- with-http_stub_status_module--with-http_gzip_static_module-- with-http_sub_module-- with-ld-opt= "- Wl,-rpath,/usr/local/luajit2/lib"-add-dynamic-module=/root/ngx_lua/ngx_devel_kit-0.3.1rc1--add-dynamic-module=/root/ngx_lua/lua-nginx-module-0.10.13

Make&& make test

# Edit the main configuration file to support NGX_LUA

Vim/usr/local/nginx/conf/nginx.conf

# specify the user created for it

Userwww www

# specify the number of processes and bind them to the CPU core

Worker_processes auto

Worker_cpu_affinityauto

Pid logs/nginx.pid

# number of open files

Worker_rlimit_nofile 65535

# load LUA related modules here

Load_modulemodules/ndk_http_module.so

Load_modulemodules/ngx_http_lua_module.so

Events {

Useepoll

Worker_connections 65535

Accept_mutexoff

Multi_accepton

}

Http {

Include mime.types

Default_type application/octet-stream

Server_names_hash_bucket_size 128

Client_header_buffer_size 64k

Large_client_header_buffers4 32k

Client_max_body_size 512m

# lua redis dependency package

Lua_package_path "/ usr/local/lua-redis/lib/lua/?.lua;;"

Sendfile on

Keepalive_timeout 60

Server_tokens off

Log_formataccess'$remote_addr-$remote_user [$time_local] "$request"'

'$status $body_bytes_sent "$http_referer"'

'"$http_user_agent"$http_x_forwarded_for"'

Includeconf.d/*.conf

}

: wq

Nginx-t & & nginx

Second, develop LUA responder and establish VHOST1. Create a directory for storing lua scripts

Mkdir/usr/local/nginx/conf/lua

two。 Develop lua scripts to respond to content

Vim/usr/local/nginx/conf/lua/content.lua

-- get the requested HEADER

Localheaders = ngx.req.get_headers ()

-- obtain the client IP in turn through xregistered realrealippcr xregistered realippads for remotebookaddr

Localclientip = headers ["X-Real-IP"]

Ifclientip = = nil then

Clientip = headers ["x_forwarded_for"]

End

Ifclientip = = nil then

Clientip = ngx.var.remote_addr

End

-- specify the response content

Ngx.say ("YourIp Adress is", clientip, ", WelCome!")

: wq

3. Build VHOST for testing

a. New profile

Vim/usr/local/nginx/conf/conf.d/luatest.conf

Server

{

# specify listening port and hostname

Listen80

Server_namewww.knownsec.com

# create a test address

Location/lua_test

{

# specify the default MIME type of the response

Default_type "text/html"

# respond to content through lua

Content_by_lua_fileconf/lua/index.lua

}

Error_log / home/log/ngx/error.log

Access_log / home/log/ngx/access access

}

: wq

b. Test and reload the configuration

Nginx-t

Nginx-s reload

4. Test access

Curl--resolve www.knownsec.com:80:192.168.0.196 http://www.knownsec.com/lua_test

YourIp Adress is 192.168.0.196, WelCome!

Third, the realization principle of IP speed limit 1. Request processing process

The request processing process of a.NGINX is divided into 11 stages: post-read, server-rewrite, find-config, rewrite, post-rewrite, preaccess, access, post-access, try-files, content, log. (reference: https://github.com/nginx/nginx/blob/master/src/http/ngx_http_core_module.h)

b. In the nginx official documentation (reference: https://www.nginx.com/resources/wiki/modules/lua/)), there are corresponding lua instructions in the processable phase. For the purpose of this article, the access speed limit control is in the access stage, so the instruction to be used is access_by_lua.

c. To facilitate debugging and management, you can use the access_by_lua_file instruction to directly load the lua file under the specified path to process the access process.

two。 Logic based on token bucket algorithm

a. The token bucket algorithm controls the number of requests and allows for the burst of a large number of requests.

b. When a user requests a Nginx, determine whether the location needs to restrict traffic

c. If necessary, check whether the current IP already has a token bucket. If not, use setex to put the token bucket into the redis, and specify the number of tokens and the expiration time of the "bucket". Set the number of visits per unit of time, for example, 10 times per minute, the number of tokens is 9 (the current request is counted as the first consumption), and the expiration time is 60s.

d. If you already have a token bucket and the number of tokens is greater than 0, use decr to subtract its value by 1 (consuming tokens) and release it

e. If the number of tokens is 0, intercept

3. Code implementation

Vim/usr/local/lua-redis/lib/lua/LimitRate.lua

-- load REDIS module

Localr_md = require "resty.redis"

-- get the HEADER of the current request

Localheaders = ngx.req.get_headers ()

-- specify the address and port of REDIS

Localredis_ip = "127.0.0.1"

Localredis_port = "9600"

-- create a redis instance

Localredis = r_md:new ()

-- specify unit time

Localqtrange = 60

-- the number of visits allowed

Localqcount = 10

-- attempt to obtain IP based on HTTP header level

Localclientip = headers ["X-Real-IP"]

Ifclientip = = nil then

Clientip = headers ["x_forwarded_for"]

End

Ifclientip = = nil then

Clientip = ngx.var.remote_addr

End

-- release the function of redis connection

Localfunction redis_close (red)

-- release the connection and use the set_keepalive instruction to put the current connection into the connection pool of the current process for use. You need to specify the size of the connection pool and the idle timeout of each connection.

Localpool_max_idle_time = 10000-Ms

Localpool_size = 100-connection pool size

Localok, err = red:set_keepalive (pool_max_idle_time, pool_size)

Ifnot ok then

Ngx_log (ngx_ERR, "set redis keepalive error:", err)

End

End

-- specifies the timeout for all REDIS operations, including the connection timeout

Redis:set_timeout (1000)

Establish a connection and release the connection if there is an exception

Localok, wrong = redis:connect (redis_ip,redis_port)

Ifnot ok then

Redis_close (redis)

End

-- establishing speed limit classes

LimitIpRate= {}

Speed limit method, token bucket speed limit logic implementation

FunctionLimitIpRate:is_limited ()

-- attempt to get the token bucket of the current IP, which is named "x.x.x.x | pool"

Localres, err = redis:get (clientip.. "| pool")

Ifnot res then

Ngx.log (ngx.ERR, "luaerror:", err)

End

-- if the res is not empty and the type is string, the corresponding token bucket is obtained.

Iftype (res) = = "string" then

-- if the number of available tokens is 0, intercept

Iftonumber (res) = = 0 then

Ngx.exit (ngx.HTTP_FORBIDDEN)

-- otherwise release and reduce the number of tokens by 1

Else

Add,err= redis:decr (clientip.. "| pool")

Ifnot add then

Ngx.log (ngx.ERR, "luaerror:", err)

End

End

-- if the res is not empty and the type is userdata, there is no corresponding token bucket in the redis

Elseiftype (res) = = "userdata" then

-- put a key-value pair with the specified name, expiration time and value into the redis

Ini,err = redis:setex (clientip.. "| pool", qtrange, (qcount-1))

Ifnot ini then

Ngx.log (ngx.ERR, "luaerror:", err)

End

End

End

-- call the speed limit method

LimitIpRate.is_limited ()

: wq

4. Integrate LimitRate.lua into NGINX configuration files

a. Edit configuration file, add directive

Vim/usr/local/nginx/conf/conf.d/luatest.conf

Server

{

# specify listening port and hostname

Listen80

Server_namewww.knownsec.com

# create a test address

Location/lua_test

{

# specify the default MIME type of the response

Default_type "text/html"

# filtering access through lua

Access_by_lua_file "conf/lua/LimitRate.lua"

# return response content through lua

Content_by_lua_fileconf/lua/index.lua

}

Error_log / home/log/ngx/error.log

Access_log / home/log/ngx/access access

}

: wq

b. Test and reload the configuration

Nginx-t

Nginx-s reload

5. Speed limit test

Fori in {1... 12}; do curl-s-- resolve www.knownsec.com:80:192.168.0.196 http://www.knownsec.com/lua_test-o / dev/null-w% {http_code}; echo; done

two hundred

two hundred

two hundred

two hundred

two hundred

two hundred

two hundred

two hundred

two hundred

two hundred

four hundred and three

four hundred and three

At this point, I believe you have a deeper understanding of "how to protect against CC attacks through the ngx_lua module". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.