Welcome! Log In Create A New Profile

Advanced

Re: DDoS protection module suggestion

姚伟斌
November 05, 2010 08:52AM
Thanks, you give me some good ideas.

2010/11/5 Eugaia <ngx.eugaia@gmail.com>

> Hi,
>
>
> On 05/11/2010 11:51, Weibin Yao wrote:
>
>> I think it's good to divide the determination from the Nginx. It's hard to
>> determine the IP by single Nginx whether is good or bad. Actually we have
>> 20+ reverse proxy Nginx servers in the front. Each Nginx doesn't known
>> others status. In our DDOS attack, the bad-IP's request rate is a little
>> higher than the normal request.
>>
> I agree it's a good idea to split the determination, and I think it might
> be good to put the lookup code inside the get handler for the variable - so
> that the lookup is only made if it is required.
>
> You might want to also think about having a setting to check for the
> existence or value of a cookie before doing the IP lookup - to avoid
> unnecessary overhead. It might also be better to handle the setting of the
> cookie value inside your Nginx module, since it would make keeping the
> generation and checking of cookie values consistent easier to manage.
>
The IP lookup overhead is very low and quick, I allocated a big hash table.

> You could perhaps handle the setting / value of the cookie inside Nginx,
> and have a system similar to Maxim's auth_request module - whereby a
> subrequest which would check the reCaptcha (or whatever) value, and return
> 200 for success or anything else for failure.


> You could have directives like :
>
> limit_access_cookie [cookie_name];
> limit_access_cookie_str [cookie_value];
>
> and you might want to add optional hashing (e.g. MD5) of the cookie string,
> to make it harder for determined hackers to get past cookie authentication -
> e.g.
>
> limit_access_cookie_hash md5;
>
> I think the overhead of checking hashed values of a cookie wouldn't be too
> high, since in most cases under DDoS, the cookie wouldn't exist, so you'd
> generally only be hashing for genuine users.
>
I think it's a new and useful feature and should develop a different module.
I will have a try after my limit_access module.

>
> Just a few ideas, anyway. Good luck with it!
>
Thank you.

>
> Marcus.
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

DDoS protection module suggestion

malte November 02, 2010 10:19PM

Re: DDoS protection module suggestion

Weibin Yao November 02, 2010 10:58PM

Re: DDoS protection module suggestion

malte November 02, 2010 11:21PM

Re: DDoS protection module suggestion

unclepieman November 03, 2010 12:02AM

Re: DDoS protection module suggestion

malte November 03, 2010 05:00PM

Re: DDoS protection module suggestion

unclepieman November 03, 2010 05:15PM

Re: DDoS protection module suggestion

malte November 03, 2010 10:30PM

Re: DDoS protection module suggestion

Redd Vinylene November 04, 2010 04:52AM

Re: DDoS protection module suggestion

malte November 04, 2010 03:47PM

Re: DDoS protection module suggestion

Weibin Yao November 04, 2010 10:28PM

Re: DDoS protection module suggestion

unclepieman November 05, 2010 12:10AM

Re: DDoS protection module suggestion

Weibin Yao November 05, 2010 01:08AM

Re: DDoS protection module suggestion

malte November 05, 2010 01:58AM

Re: DDoS protection module suggestion

unclepieman November 05, 2010 03:34AM

Re: DDoS protection module suggestion

Weibin Yao November 05, 2010 05:56AM

Re: DDoS protection module suggestion

Eugaia November 05, 2010 06:44AM

Re: DDoS protection module suggestion

姚伟斌 November 05, 2010 08:52AM

Re: DDoS protection module suggestion

malte November 05, 2010 12:16PM

Re: DDoS protection module suggestion

姚伟斌 November 05, 2010 09:50PM

Re: DDoS protection module suggestion

malte November 05, 2010 12:11PM

Re: DDoS protection module suggestion

unclepieman November 05, 2010 01:08PM

Re: DDoS protection module suggestion

malte November 05, 2010 05:52PM

Re: DDoS protection module suggestion

malte November 05, 2010 05:53PM

Re: DDoS protection module suggestion

Weibin Yao November 05, 2010 05:42AM

Re: DDoS protection module suggestion

Rainer Duffner November 03, 2010 05:42PM

Re: DDoS protection module suggestion

malte November 03, 2010 10:22PM

Re: DDoS protection module suggestion

ken107 December 26, 2010 04:49AM

Re: DDoS protection module suggestion

Weibin Yao December 26, 2010 09:32PM

Re: DDoS protection module suggestion

Waleed G. March 25, 2012 01:04PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 69
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready