Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Limit the use of the request being Nginx Flood attack     - zBackup: A versatile tool to remove duplicate backup (Linux)

- CentOS How quickly customize kernel binary RPM package (Linux)

- File encryption and decryption of Linux security mechanisms (Linux)

- Linux script commands - terminal recorder (Linux)

- Oracle create user authorization and in PLSQL (Database)

- C ++ Supplements - References (Lvalue Reference, Rvalue Reference) (Linux)

- Zabbix monitoring of the switch (Server)

- To create someone else can not afford to delete the administrator user (Linux)

- Linux common network tools: traceroute routing of scanned (Linux)

- Household use Linux Security (Linux)

- Linux Mint brightness adjustment --xrandr command learning (Linux)

- Ubuntu use three methods to install Ruby (Linux)

- Asynchronous communication mechanism between the Android source code analysis thread (Programming)

- Hadoop 2.7.1 Installation and Configuration under RedHat Linux 6.5 (Server)

- Linux SSH commands (Linux)

- Let OpenCV face detection score output codes (Programming)

- Postgres-X2 deployment steps (Database)

- Five strokes to find out the IP address you want to know (Linux)

- Talking about modern programming language syntax and standard library tightly bound phenomenon (Programming)

- Oracle Database Performance Optimization of memory disk (Database)

 
         
  Limit the use of the request being Nginx Flood attack
     
  Add Date : 2018-11-21      
         
         
         
  Test

I will simply tell you how to configure request restrictions Nginx module and it is how to protect your site, you are attacked and prevent DDOS or other HTTP-based denial of service attacks.

For this test, I would like to save the page in Blitz.io (now free service) named about.html, for testing limit_req instructions.

First, I use the following command in the Blitz, to initiate and 1075 concurrent requests for one minute, the response timeout to two minutes, the California region, and set the state to get rid of all the state 200 other than an abnormal state, even 503 are not considered to be successful.

-p 1-1075: 60 --status 200 -T 2000 -r california http://kbeezie.com/about.html


Not too bad, right? But if it is a php file. It might cause users 502/504 status PHP process, so that the server has crashed or unresponsive. Especially if you do not use any protection or other VPS cheap servers, the failure rate will be higher. (Original ad, here shield)

Of course, you can use the cache or other tools to improve server performance and response capability, for example, you can use WordPress you definitely want to use wordpress caching plugin. Da For those type of people we can use the limit request module.

In Nginx we create a regional http {}, I told him to blitz set 5 requests per second, the maximum data capacity of 10MB. I use as a session variable $ binary_remote_addr let yourself than normal visitors $ remote_addr can access greater than 10MB Space.

limit_req_zone $ binary_remote_addr zone = blitz: 10m rate = 5r / s;
However, the definition of weeks in the server on these rules:

location = /about.html {
limit_req zone = blitz nodelay;
}

Then reload Nginx configuration

You will find only more than 285 people now have access to the server, the number of requests per second at 4.75, we set no more than 5 times per second, check the log you will find no access to the requests are HTTP 503, access to all HTTP 200.

Such an arrangement would like to use for access to restricted areas is helpful, it can also be applied on all php requests.

PHP application requests limit

If you want to restrict all PHP application limits, you can do this:

location ~ \ .php {
limit_req zone = flood;
include php_params.conf;
fastcgi_pass unix: /tmp/php5-fpm.sock;
}
It can help you stuff some settings like acceleration or deceleration, in order to deal with unexpected demand or configuration item details without delay, hit here:. HttpLimitReqModule.

Note:

You may notice that the chart above test 1075 user requests, here are misleading, because all access requests are from California and located in the same IP (50.18.0.223).

I find it difficult to achieve a real high-traffic network or DDOS (distributed denial of service attack). This is why we are the number of users with access to a successful IP is not great. Test server load also affect the user's access number or region. the number of users you can use the free version is the maximum concurrent access to 50. of course, you can spend $ 49 per day US knife allows 1000 users to access your site.

If you have enough memory with bandwidth of a single IP address test is very easy to use this tool can be achieved: high concurrency, ab, openload etc. is only in the terminal interface, it is no UI.

Of course, you want to test yourself, remember to use status flag, because the Blitz in about 5 seconds after the response to the access request.

Better alternatives

There will not be further explained in more detail, if you seriously want to prevent DDOS attack your server or multi-service attack, there are other great software tools like iptables (linux), pf (packet filter for BSD), or you the server hardware, you can use your hardware firewall. above limitation module will stop coming through HTTP request flood attack, it does not prevent ping packet flooding attacks or other vulnerabilities in these cases you can turn off unneeded services and ports not needed to prevent others breakthrough.

For example, my server external network ports open only HTTP / HTTPS and SSH. Like these services bind local MySQL connections also some common service can be set to the port is not commonly used, so as not to be sniffed filter (iptables / pf this case would be helpful).
     
         
         
         
  More:      
 
- Linux LVM - File system extension (Linux)
- GEC2440 easiest a kernel compile Linux2.6.30.4 (Programming)
- JBoss7 configuration - Supports IPv4 and IPv6 dual-stack environment (Server)
- Ubuntu 14.04 compile, install, configure, the latest development version GoldenDict (Linux)
- Puppet 3.x installed on Debian 7 (Server)
- Gentoo: existing preserved libs problem solving (Linux)
- Programmers Do not neglect debugging techniques (Programming)
- Depth understanding of C language (Programming)
- Monitoring Linux System 7 command-line tool (Linux)
- How to display a dialog Bash Shell script (Programming)
- How to Start a Linux application running in the background using the terminal mode (Linux)
- C ++ Supplements - Virtual Function Principle (Programming)
- MySQL separation Amoeba achieve literacy (Database)
- Android Service service applications and the phone SMS Listener Listener (Programming)
- Joseph Central Java implementation (Programming)
- File SUID, SGID, Sticky property (Linux)
- CentOS yum source as the default setting methods in DVD (Linux)
- Android Studio Installation and Configuration Guide tutorial (Linux)
- Zabbix monitoring tool deployment under Ubuntu server (Server)
- CentOS 6.x Basic System Optimization after installation (Linux)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.