Welcome! Log In Create A New Profile

Advanced

Re: limit-req and greedy UAs

September 11, 2016 11:32AM
‎This page has all the secret sauce, including how to limit the number of connections. 

https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/

I set up the firewall with a higher number as a "just in case." Also note if you do streaming outside nginx, then you have to limit connections for that service in the program providing it. 

Mind you while I think this page has good advice, what is listed here won't stop a real ddos attack. The first D is for distributed, meaning the attack come from many IP addresses. You probably have to pay for one of those reverse proxy services to avoid a real ddos, but I personally find them them a bit creepy since I have seen hacking attempts come from behind them. 

The tips on this nginx page will limit the teenage boy in his parents basement, which is a more real life scenario to be attacked. But note that every photo you load is a request, so I wouldn't make the limit ‎any lower than 5 to10 per second. You can play with the limits and watch the results on your own system. Just remember to: 
service nginx reload
service nginx restart

If you do fancy caching, you may have to clear your browser cache.

In theory, Google page ranking takes speed into account.  There are many websites that will evaluate your nginx set up. 
https://www.webpagetest.org/

One thing to remember is nginx limits are in bytes per second, not bits per second. So the 512k limit in this example is really quite generous.
‎http://www.webhostingtalk.com/showthread.php?t=1433413

There are programs you can run on your server to flog nginx.
https://www.howtoforge.com/how-to-benchmark-your-system-cpu-file-io-mysql-with-sysbench

I did this with htperf, but sysbench is supposed to be better. Nginx is very efficient. Your limiting factor will probably be your server network connection. If you sftp files from your server, it will be at the maximum rate you can deliver, and this depends on time of day since you are sharing the pipe. I'm using a VPS that does 40mbps on a good day. Figure 10 users at a time and the 512kbyes per second put me at the limit. 

If you use the nginx map module, you can block download managers if they are honest with their user agents. 

http://nginx.org/en/docs/http/ngx_http_map_module.html
http://ask.xmodulo.com/block-specific-user-agents-nginx-web-server.html

Beware of creating false positives with such rules. When developing code, I return a 444 then search the access.log for what it found, just to insure I wrote the rule correctly.






  Original Message  
From: Grant
Sent: Sunday, September 11, 2016 5:30 AM
To: nginx@nginx.org
Reply To: nginx@nginx.org
Subject: Re: limit-req and greedy UAs

> What looks to me to be a real resource hog that quite frankly you cant do much about are download managers. They open up multiple connections, but the rate limits apply to each individual connection. (this is why you want to limit the number of connections.)


Does this mean an attacker (for example) could get around rate limits
by opening a new connection for each request? How are the number of
connections limited?

- Grant

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

limit-req and greedy UAs

Grant September 08, 2016 09:26PM

Re: limit-req and greedy UAs

gariac September 08, 2016 09:40PM

Re: limit-req and greedy UAs

Richard Stanway September 09, 2016 09:02AM

Re: limit-req and greedy UAs

gariac September 09, 2016 12:42PM

Re: limit-req and greedy UAs

Grant September 11, 2016 08:32AM

Re: limit-req and greedy UAs

gariac September 11, 2016 11:32AM

Re: limit-req and greedy UAs

Grant September 11, 2016 01:30PM

Re: limit-req and greedy UAs

gariac September 11, 2016 03:18PM

Re: limit-req and greedy UAs

B.R. September 12, 2016 04:10AM

Re: limit-req and greedy UAs

gariac September 12, 2016 05:28AM

Re: limit-req and greedy UAs

Grant September 12, 2016 04:24PM

Re: limit-req and greedy UAs

Richard Stanway September 12, 2016 05:40PM

Re: limit-req and greedy UAs

gariac September 12, 2016 06:32PM

Re: limit-req and greedy UAs

gariac September 13, 2016 02:56AM

Re: limit-req and greedy UAs

gariac September 13, 2016 04:30AM

Re: limit-req and greedy UAs

Grant September 13, 2016 12:04PM

Re: limit-req and greedy UAs

Grant September 13, 2016 12:10PM

Re: limit-req and greedy UAs

Grant September 24, 2016 08:58PM

Re: limit-req and greedy UAs

c0nw0nk September 12, 2016 08:51AM

Re: limit-req and greedy UAs

Grant September 11, 2016 08:38AM

Re: limit-req and greedy UAs

gariac September 11, 2016 10:42AM

Re: limit-req and greedy UAs

Grant September 11, 2016 01:24PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 110
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready