> Maybe I could add extra variable like this:
> if ($limit_access_deny) {
> add_header Location http://xxxx:81/;
> return 302;
> }

Would work nicely.

> I think it's good to divide the determination from
> the Nginx. It's hard
> to determine the IP by single Nginx whether is
> good or bad. Actually we
> have 20+ reverse proxy Nginx servers in the front.
> Each Nginx doesn't
> known others status. In our DDOS attack, the
> bad-IP's request rate is a
> little higher than the normal request.
>
> We decide to collect the log together and analyze
> it. I don't know the
> payload of log collection. Maybe it's too high. We
> have not done the
> performance test yet. Or we should do log analysis
> distributed in each
> server and then collect the results together.

Hms. In my set up, I have 3 machines each running nginx. They all have their own public IP, and I simply let DNS round robin in the requests to them. When I was hit, all machines were hit simultaneously, but the individual bots attacking each targeted one machine only.
I take it you have some sort of load balancer in front that distributes your incoming traffic differently from me?