Shulou(Shulou.com)06/02 Report--

Preface

Nginx is a lightweight Web server developed by Russian programmer Igor Sysoev and originally used by large Russian portals and search Rambler. Its characteristic is that it occupies less memory and has strong concurrency ability. in fact, the concurrency ability of Nginx does perform well in the same type of website server.

Defense against DDOS is a systematic project, with many attack patterns, high cost and many bottlenecks, and the defense is both passive and helpless. DDOS is characterized by distributed, against bandwidth and service attacks, that is, layer 4 traffic attacks and layer 7 application attacks. The corresponding defense bottlenecks are layer 4 in bandwidth and layer 7 in architecture throughput. For layer 7 application attacks, we can still do some configuration to defend, for example, the front end is Nginx, mainly using nginx's http_limit_conn and http_limit_req modules to defend. Ngx_http_limit_conn_module can limit the number of connections of a single IP, and ngx_http_limit_req_module can limit the number of requests per second of a single IP. By limiting the number of connections and requests, it can relatively effectively defend against CC attacks.

The following article mainly introduces the configuration method of Nginx defense against DDOS attacks, which is shared for reference and learning. Let's take a look at the detailed introduction:

Here is the configuration method:

one。 Limit the number of requests per second

The ngx_http_limit_req_module module uses the leaky bucket principle to limit the number of requests per unit time. Once the number of requests per unit time exceeds the limit, it will return a 503 error. The configuration needs to be set in two places:

Trigger conditions are defined in the http section of nginx.conf, which can have multiple conditions.

Define the actions to be performed by nginx when the trigger condition is reached within the location

For example:

Http {limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; / / trigger condition, all access ip is limited to 10 requests per second. Server {... The action performed by location ~\ .php$ {limit_req zone=one burst=5 nodelay; / /, corresponding to} by zone name.

Parameter description:

$binary_remote_addr binary remote address zone=one:10m defines the zone name as one, and allocates 10m memory for this zone to store sessions (binary remote addresses). 1m memory can hold 16000 session rate=10r/s The frequency limit is 10 requests per second. Burst=5 allows no more than 5 requests exceeding the frequency limit. Assuming 9 requests per second in 1, 2, 3 and 4 seconds, 15 requests in 5 seconds are allowed. On the contrary, if 15 requests are requested in the first second, 5 requests will be placed in the second second, and requests exceeding 10 in the second second will be directly 503, which is similar to the aPCge rate limit in multiple seconds. Requests exceeding nodelay are not delayed, and 15 requests are processed within 1 second after setting.

two。 Limit the number of IP connections

The configuration method and parameters of ngx_http_limit_conn_module are very similar to those of http_limit_req module, with fewer parameters and much simpler.

Http {limit_conn_zone $binary_remote_addr zone=addr:10m; / / trigger condition. Server {... Location / download/ {limit_conn addr 1; / / limit 1 connection at the same time. Excess connection returns 503}

three。 Whitelist setting

Http_limit_conn and http_limit_req modules limit the number of concurrency and requests per unit time of a single ip. However, if there is a load balancer or reverse proxy such as lvs or haproxy in front of the Nginx, nginx obtains connections or requests from the load balancer. In this case, you should not limit the connections and requests of the load balancer. You need to set a whitelist for the geo and map modules:

Geo $whiteiplist {default 1; 10.11.15.161 0;} map $whiteiplist $limit {1 $binary_remote_addr; 0 ";} limit_req_zone $limit zone=one:10m rate=10r/s;limit_conn_zone $limit zone=addr:10m

The geo module defines a variable whiteiplist with a default value of 1. When ip is in the whitelist, the value of the variable whiteiplist is 0, and vice versa.

If you are in the whitelist-- > whiteiplist=0-- > $limit= ""-- > will not be stored in 10m session state (one or addr)-- > unrestricted

Conversely, not on the whitelist-- > whiteiplist=1-- > $limit= binary remote address-- > stored in 10m session state-- > restricted

four。 test

Using the ab command to simulate CC attacks, the http_limit_conn and http_limit_req modules are tested separately, and note that the http_limit_conn module only counts the connections of requests being processed (the header information of these requests has been fully read). If the request has been processed and the connection is not closed, it will not be counted. At this point, use netstat to see that the number of connections can exceed the limit and will not be blocked.

Number of ab-n requests-c concurrent http://10.11.15.174/i.php

If blocked, the foreground will return 503, and the following error log will be seen in the error_log of nginx:

Limited number of connections:

14:20:26 on 2015-01-28 [error] 4107: * 65525 limiting connections by zone "addr", client: 10.11.15.161, server:, request: "GET / i.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1", host: "10.11.15.174", referrer: "http://10.11.15.174/i.php"

Number of restricted requests:

14:18:59 on 2015-01-28 [error] 4095: 0: * 65240 limiting requests, excess: 5.772 by zone "one", client: 10.11.15.161, server:, request: "GET / i.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1", host: "10.11.15.174", referrer: "http://10.11.15.174/i.php""

five。 Some other ways to prevent CC

1.Nginx module ModSecurity, http_guard, ngx_lua_waf

ModSecurity application layer WAF, powerful, can defend against many attacks, configure complex ngx_lua_waf ngx_lua-based web application firewall, easy to use, high performance and lightweight http_guard based on openresty

two。 Software + Iptables

Fail2ban analyzes the log to determine whether to use iptables to intercept DDoS Deflate, uses netstat to determine the number of ip connections, and uses iptables masking

At the beginning, it was said that anti-DDOS is a systematic project. By optimizing the system and software configuration, it can only defend against small-scale CC attacks. For large-scale attacks, layer-4 traffic attacks, and hybrid attacks, basically, the bandwidth is full when the system and application software are not down. Here are some ways to defend against DDOS that I have used in my work:

1. High defense server and ISP with traffic cleaning

Usually servers from the United States and South Korea, some backbone ISP suppliers have traffic cleaning services, such as PCCW in Hong Kong. It can usually defend against small attacks of about 10G.

2. Traffic cleaning services such as akamai (prolexic), nexusguard We have been attacked by 80g traffic at most and have been cleaned successfully, but the cost is very high.

3. CDN for example: blue News Network destination cloudflare

According to the distributed characteristics of DDOS, CDN distributes the traffic and accelerates the website at the same time, the effect is good and the cost is relatively low.

To sum up: it is easier to attack than to defend. Seven layers are easy to defend, four layers are difficult to defend; small ones can be defended, but large ones cost money.

All right, the above is the whole content of this article. I hope the content of this article can bring some help to your study or work. If you have any questions, you can leave a message and exchange. Thank you for your support.

Reference article:

Http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

Http://www.nginx.cn/446.html

Http://www.ttlsa.com/nginx/nginx-limited-connection-number-ngx_http_limit_conn_module-module/

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.