i have 4 webserver behind cloudflare and a loadbalancer, nginx is the web browser, php-fpm manage the php pages. i don't know how to block a simple dos attack ...

i'm able to detect this attack by use the http_limit_req module from nginx http://wiki.nginx.org/HttpLimitReqModule

but this is not block the attack at all, yes can mitigate but webservers are hit and hit again, and php-fpm goes to 80% and in a minute the website is unreachable.

i'm trying to find a way to block this kind of request.

i know how to block certain ip address or certain useragent with nginx but i want to do it automatically. I think that i cannot block the ip with iptables because the request come from the loadbalancer :( but i'm still able to detect the correct ip address with the set_real_ip_from and real_ip_header X-Forwarded-For with nginx.

i have the log file (error.log) filled with the correct ip address as you can see:

2012/03/27 18:34:02 [error] 31234#0: *1283 limiting connections by zone "staging", client: XX.XX.XX.XXX, server: www.xxxxxxx.com, request: "HEAD /it HTTP/1.1", host: "www.xxxxxxx.com"

Someone have an idea and can teach me how to block automatically this ip?

thanks in advance!