Yeah I agree, basically it is not easy to take down nginx with such an
attack. The question is still there, what kind of limitations do we have to
put in place to avoid such an abuser?
My consideration:
-firewall -> max connection by ips
-firewall -> syn proxy(to avoid syn attacks)
-firewall -> connection rate
-OS -> max open sockets by processes
-OS -> tcp/ip stack tuning, allocated memory
-OS -> max CPU time
-OS -> max used memory(slightly different terminology all across unixes)
-webserver-> max fds, running workers etc.
Basically you have to have a multi layer limitation to avoid resource
abusing and then you can sleep well :)
Regards,
Istvan
On Tue, Jun 23, 2009 at 9:09 AM, Weibin Yao wrote:
> Istv