> them instead of giving them a captcha chance. For > a lower intensity captcha I can see how your > captcha system would shine though. I meant of course a lower intensity DDoS, not captcha.by malte - Nginx Mailing List - English
unclepieman Wrote: ------------------------------------------------------- > Hey Malte, > > During a ddos attack, you are sending > $possible_bad-ip to a different > server that just sits there and does nothing but > Captcha. The cost for > showing a captcha to a host is far less than the > impact it would have on > your network/servers. > > also oby malte - Nginx Mailing List - English
> Maybe I could add extra variable like this: > if ($limit_access_deny) { > add_header Location http://xxxx:81/; > return 302; > } Would work nicely. > I think it's good to divide the determination from > the Nginx. It's hard > to determine the IP by single Nginx whether is > good or bad. Actually we > have 20+ reverse proxy Nginx servers in thby malte - Nginx Mailing List - English
unclepieman Wrote: ------------------------------------------------------- > Hey, > > Instead of a 503, i would redirect them > localhost:81 and allow them to > validly themselves via captcha system in case its > a false positive. > Like above, if a host logs the same src_ip more > than $x times in $xy > min, u should be moving the acl up the chain, your &gby malte - Nginx Mailing List - English
Weibin Yao Wrote: > We are facing the similar DDOS situation to you. > I'm developing a module > which can deny the individual IPs. The module can > get the IPs with a > POST request from a commander server in the > intranet. If you have some > suggestions, you can contact to me. > > The module will be here: > https://github.com/yaoweibin/nginx_limit_acby malte - Nginx Mailing List - English
Redd Vinylene Wrote: ------------------------------------------------------- > Just real quick: > > What about one of the BSDs and pf? The latter is > said to be the world's best > firewall. Real elegant syntax too: > > block quick from > > pass in on $ext_if inet proto tcp from any to any > port 80 keep state > (max-src-conn 100, max-src-conn-rateby malte - Nginx Mailing List - English
unclepieman Wrote: ------------------------------------------------------- > Hi, > > Agreed, what Ive done in the past to get around > that issue is to setup a span port on our edge so > it takes a packet and mirrors it to another > server, say nic1. You run a script on that server > that does all the number crunching, based on what > it sees, you can have your scby malte - Nginx Mailing List - English
> If the site's audience is truly global, it's very > difficult. > > Apart from the fact that in a true DDoS scenario > (in the mentioned > case, we're talking about 200something attacking > hosts), you'd need > NGINX to be sitting next to your peering points > upstream. This site has an emphasis on US, but still US traffic only makes up 40% of the trafby malte - Nginx Mailing List - English
Hi Payam. Thanks for the offer, and you raise a valid point - it can be done in a script as you say, but that means a lot more work for the server, compared to handling it in a native nginx module, written in C. Typically native C code is multiples faster than php, python, etc. This is key if you are trying to stave off a DDoS attack coming in with tens of thousands of attack requests every secondby malte - Nginx Mailing List - English
Yes, I am aware that you can limit the max connections with the limit zone module. What I'd like to do is establish an in-memory list of abusive IPs, which gets no responses other than 503 errors no matter what request they make. Since they are abusive, I want nginx to automatically spend the least amount of processing power on them as possible.by malte - Nginx Mailing List - English
I've recently been hit pretty hard with a nasty DDoS attack on a site of mine. With http://wiki.nginx.org/HttpLimitReqModule and http://wiki.nginx.org/HttpLimitZoneModule I was able to mitigate the attack reasonably well, but neither of these modules do what I'd really like to have done - temporarily serve only a plain 4xx or 5xx error message to any IP that is exhibiting clearly abusive behaviby malte - Nginx Mailing List - English