That attack wasn't very distributed. ;-)
Did you see if the IPs were from an ISP? If not, I'd ban the service using the Hurricane Electric BGP as a guide. At a minimum, you should be blocking the major cloud services, especially OVH. They offer free trial accounts, so of course the hackers abuse them.
If the attack was from an ISP, I can visualize a fail2ban scheme blocking the last quad not being too hard to implement . That is block xxx.xxx.xxx.0/24. Or maybe just let a typical fail2ban set up do your limiting and don't get fancy about the IP range.
I try "traffic management" at the firewall first. As I discovered with "deny" in nginx, much CPU work is still done prior to ignoring the request. (I don't recall the details exactly, but there is a thread I started on the topic in this list.) Better to block via the firewall since you will be running one anyway.
Original Message
From: Grant
Sent: Tuesday, December 13, 2016 2:01 PM
To: nginx@nginx.org
Reply To: nginx@nginx.org
Subject: limit_req per subnet?
I recently suffered DoS from a series of 10 sequential IP addresses.
limit_req would have dealt with the problem if a single IP address had
been used. Can it be made to work in a situation like this where a
series of sequential IP addresses are in play? Maybe per subnet?
- Grant
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx