Welcome! Log In Create A New Profile

Advanced

Deny if uri contains specific word

Posted by Korben 
Forum List Message List New Topic
Korben
Deny if uri contains specific word
January 15, 2016 04:16AM
Hello.

I need some help with configuring nginx to struggle HTTP flood attack.
My web server recieves a lot of non existing URLs requests for a couple of days already. Some hundreds of thousands. I'm collecting IP address and user agents from access log and deny them using 'deny' command.

But there are a lot of new IPs with the same requests. So I'd like to add a rule for denying them all.
These requests look like:
GET /?v_browser=Amigo%2F45.0.2454.107&v_chrome=45.0.2454.107&v_extension=25.0.46&rfr=blackbear3&aid=CD97F7BB-F5D3-4889-B781-C53695C5D4A1&id_extension=diciddlabejpoaofdnmoamebeohoiobg HTTP/1.1

GET /?&ts=1452855523947&s=e7b8e05c1048b23f20eacb77e90b59638ad898c1&appId=com.outfit7.mytalkingtomfree&appVersion=3.1.1&platform=ANDROID&lv=2.6.3&lc=ru&osv=4.4.2&dm=SM-T210&advertisingId=41a6a6c0-276b-4aad-affc-4d68dc5a7783&advertisingOptOut=false&wifi=2&jb=false

GET /?&ts=1452837410833&s=3c50dd07af0c72e47d5bc03f268652c5032e2329&appId=com.outfit7.mytalkingtomfree&appVersion=3.0.1&platform=ANDROID&lv=2.5.14&lc=ru&osv=4.4.2&dm=SM-T230&advertisingId=9c733111-f6e2-49e7-9932-ebb9bc3b330d&advertisingOptOut=false&wifi=2&jb=false

GET /?ccode=-1&model=TAB708&atime=1452841234&count=5&mcc=&osv=4.4.4&cell=&pid=1&net=WIFI&nmnc=&cid=0&lac=&pos=101&appv=5.11.5&v=2&pf=android&page=1&lan=ru_RU&brand=rockchip&nmcc=&mnc=&ch=null%23null%23null&uuid=695f4e57065676c4&

GET /?os=win&arch=x86&nacl_arch=x86-32&prod=chromiumcrx&prodchannel=unknown&prodversion=45.0.2454.103&lang=ru&x=id%3Dmhjmblbdnpeeginmmnedceemmlikpimp%26v%3D0.1.13%26uc

GET /?s=00000000&client=DynGate&rnd=282161415&p=10000001

GET /?screen_h=800&android_id=8c859e8805aad7ce&wifi=34:cd:be:6d:a2:a1,-73&cellid=401,01,12572,3117,-93&model=Lenovo+A319&gzip=&screen_w=480&clid=1866854&manufacturer=LENOVO&app_version=171&app_platform=android&uuid=0b24642dee695eca04ada776e06b13c8&os_version=4.4.2

And so on.

So may I make up any rule which would combine all of these requests? I don't have any similar parameters needed for my site. I've tried this one at / location:

if ($uri ~* '^/(\?s=|\?os=|\?imei=|\?&ts=|\?tk=|\?tm=|\?ptl=|\?act=|\?p=|\?callback=|\?v_browser=|\?ids=|\?root=|\?appkey=|\?ak=|\?alpha=|\?a=|\?method=|\?user_id=|\?v=|\?adnum=|\?app_signature=|\?osv=|\?getchannel=|\?param=|\?sensor=|\?ids=)$') {
deny all;
}

But it didn't work.

Thanks in adnvance for any help.
Reply Quote
itpp2012
Re: Deny if uri contains specific word
January 15, 2016 04:19AM
Have a look at the simple WAF inside the latest archive here http://nginx-win.ecsds.eu/
look in the /conf folder. Works for any OS.

---
nginx for Windows http://nginx-win.ecsds.eu/
Reply Quote
Newer Topic Older Topic
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 75
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready