Under normal circumstances, attackers saturate the server with a large number of requests and connections, so that they can't accept new requests or become slow.
Characteristics of DDOS attack in application layer
Application layer (layer 7 /HTTP) DDOS attacks are usually initiated by Trojan horses, and the vulnerabilities of the target system can be better exploited through design. For example, for a system that can't handle a large number of concurrent requests, it only needs to establish a large number of connections and periodically send out a small number of packets to maintain the session, which can exhaust the resources of the system and make it unable to accept new connection requests, thus achieving the purpose of DDOS. Others attack by sending a large number of connection requests and sending large data packets. Because the attack was initiated by a Trojan horse program, the attacker can quickly establish a large number of connections and make a large number of requests in a short time.
The following are some special certificates of DDOS, according to which we can resist DDOS (including but not limited to):
Attacks often come from some relatively fixed IP or IP segments, and each IP has far more connections and requests than real users.
Note: This does not mean that all these requests represent DDOS attacks. In many network architectures using NAT, many clients use the IP address of the gateway to access public network resources. However, even so, the number of such requests and connections will be far less than DDOS attacks.
Because the attack was initiated by a Trojan horse to overload the server, the frequency of requests will far exceed that of normal people.
User agent is usually a nonstandard value.
Referer is sometimes a value that is easily associated with an attack.
Use Nginx and Nginx Plus to resist DDOS attacks.
Combining the characteristics of DDOS attacks mentioned above, Nginx and Nginx Plus have many features that can be used to effectively defend against DDOS attacks. They can achieve the purpose of defending against DDOS attacks from two aspects: adjusting portal access traffic and controlling the traffic from reverse proxy to back-end server.
Limit request speed
Set the connection request of Nginx and Nginx Plus within a reasonable range of a real user request. For example, if you think that an ordinary user can request a login page every two seconds, you can set Nginx to receive a client IP request every two seconds (about 30 requests per minute).
limit_req_zone? $binary_remote_addr? zone=one: 10m? Rate = 30r/m;
Server? {
...
Location? /login.html? {
limit_req? Zone = one;
...
}
The "limit _ req _ zone" command sets a * * * shared memory area named one to store the specific key value of the request status, in the above example, the client IP($binary_remote_addr). The "limit_req" in the location block restricts access to /login.html by referring to a * * * shared memory area.
Limit the number of connections
Set Nginx, Nginx? The number of Plus connections is within the reasonable range required by real users. For example, you can set the number of IP connections/storage per client to no more than 10.
limit_conn_zone? $binary_remote_addr? zone = addr: 10m;
Server? {
...
Location? /store/? {
Limit _ connection? addr? 10;
...
}
The "limit _ conn _ zone" command sets a * * * shared memory area named addr to store the state of a specific key, which in the above example is the client IP( $binary_remote_addr). The "limit_conn" in the location block limits the maximum number of connections of /store/ to 10 by referring to the ADDR * * shared memory area.
Close slow connection
Some DDOS attacks, such as Slowlris, maintain the session by establishing a large number of connections and periodically sending some data packets, which are usually shorter than normal requests. In this case, we can resist the attack by closing the slow connection.
The "client _ body _ timeout" command is used to define the timeout for reading the client request, and the "client _ header _ timeout" command is used to set the timeout for reading the client request header. The default values of these two parameters are 60s, and we can set them to 5s by the following command:
Server? {
Client _ Body _ Timeout? 5s;
client_header_timeout? 5s;
...
} set IP blacklist
If it is determined that the attack originated from some IP addresses, we can blacklist them and Nginx will not accept their requests. For example, you have determined that the attack came from the IP address of 123. 123. 1 23.16. You can set it as follows:
Location? /? {
Deny? 123. 123. 123.0/28;
...
} Or is it determined that the attack originated from123.123.123.3, 123. 123.5, 123.438+023.723?
Location? /? {
Deny? 123. 123. 123.3;
Deny? 123. 123. 123.5;
Deny? 123. 123. 123.7;
...
} set IP whitelist
If your website only allows access to a specific IP or IP segment, you can use both the Allow and Deny commands to restrict access to your website to the IP address you specify. As follows, you can only allow intranet users in192.168.1.0 to access:
Location? /? {
Is it allowed? 192. 168. 1.0/24;
Deny? All;
...
The deny command will deny all other IP access requests except the IP segment specified by allow.
Using cache for traffic peak clipping
By turning on Nginx's caching function and setting specific caching parameters, the traffic from attacks can be reduced, and the request pressure of back-end servers can also be reduced. Here are some useful settings:
The update parameter of "proxy _ cache _ use _ stall" tells Nginx when to update the cached object. Only one update request is needed for the backend, and the client's request for this object does not need to visit the backend server within the cache validity period. When attacking through frequent requests for files, the caching function can be greatly simplified as the request of the back-end server.
Key values defined by the proxy _ cache _ key' command usually contain some embedded variables (the default key value $scheme$proxy_host$request_uri contains three variables). If the key value contains the variable' $query_string', it will bring a heavy cache burden to Nginx proxy when the attacked request string is random, so we suggest not to contain the variable' $query_string' generally.
Block special requests
Nginx and Nginx Plus can be set to block certain types of requests:
A request for a specific URL
Abnormal user agent request
For requests where the Referer header contains a value that may be associated with an attack.
For other requests whose headers contain values that may be related to the attack.
For example, if you determine that the attack is aimed at a specific URL:/foo. PHP, we can block requests for this page:
Location? /foo.php? {
Deny? All;
} or if you are sure that the user agent of the attack request contains foo or bar, we can also block these requests:
Location? /? {
What if? ($/blog/nginx-protect-CVE-20 15- 1635/? _ ga = 1. 14368 1 16.2 1373 19792. 1439284699)
Optimize Nginx performance
DDOS attacks usually bring high load pressure, and the processing performance of Nginx and Nginx Plus can be improved through some tuning parameters, thus resisting DDOS attacks. See tuning Nginx to improve performance (/blog/tuning-Nginx/? _ ga = 1.48422373.2 1373 19792.659284699)
Identify DDOS attacks
So far, we mainly focus on how to use Nginx and Nginx Plus to mitigate the impact of DDOS attacks. How can Nginx and Nginx Plus help us identify DDOS attacks? Nginx Plus status module provides detailed traffic statistics to the back-end server, which can be used to identify abnormal traffic. Nginx Plus provides a dashboard page of the current service status. At the same time, these statistical information can be obtained through the API in the user-defined system or other third-party systems, and abnormal traffic can be identified according to historical trend analysis, and then an alarm can be issued.
abstract
Nginx and Nginx Plus can be used as powerful means to resist DDOS attacks. Nginx Plus provides some additional functions, which can better resist DDOS attacks and identify them in time. In addition, you can also use third-party security defense to prevent DDOS. For example, Yu Chuang, Zhihu can prevent both DDOS and CC, and the effect is good.