If you dig through some old posts, it was established that the deny feature of nginx isn't very effective at limiting‎ network activity. I deny at the firewall. 

What remains is if you should deny dynamically or statically. ‎

  Original Message  
From: c0nw0nk
Sent: Tuesday, September 27, 2016 11:42 AM
To: nginx@nginx.org
Reply To: nginx@nginx.org
Subject: Re: 444 return code and rate limiting

It is a response by the time the 444 is served it is to late a true DDoS is
not about what the server outputs its about what it can receive you can't
expect incoming traffic that amounts to 600Gbps to be prevented by a 1Gbps
port it does not work like that Nginx is an Application preventing any for
of DoS at an application level is a bad idea it needs to be stopped at a
router level before it hits the server to consume your receiving capacity of
1Gbps.

Adding IP address denies for DDoS to the Nginx .conf file at the application
level is to late still also the connection has been made the request headers
/ data of 100kb or less what ever the client sent has been received on your
1Gig port its already consuming your connection.

The only scenario I can think of where returning 444 is a good idea is under
a single IP flooding "DoS" because then your not increasing your ports
bandwidth output responding to someone who is opening and closing a
connection, But in this scenario its more like they are trying to make your
server DoS itself by making it max out its own outgoing bandwidth to just
their connection alone so nobody else can receive anything.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269873,269879#msg-269879

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx