Protecting Against DDOS Attacks with Nginx Configuration

Web Technologies
1

Protecting Against DDOS Attacks with Nginx Configuration

I. Introduction

DDOS (Distributed Denial of Service) attacks have become a significant concern for online services, causing bandwidth and service disruptions. These attacks involve flooding a server with traffic from multiple sources, overwhelming its resources and leading to downtime. In this article, we will explore how to configure Nginx to prevent DDOS attacks.

II. Understanding DDOS Attacks

DDOS attacks are characterized by distributed bandwidth and service attacks, which can be categorized into four types: traffic attacks, application attacks, bandwidth attacks, and throughput attacks. To combat these attacks, we need to implement defense mechanisms that can handle the increased traffic and prevent service disruptions.

III. Nginx Configuration for DDOS Defense

Nginx provides two modules to help defend against DDOS attacks: http_limit_conn and http_limit_req. These modules can limit the number of connections and requests per second from a single IP address.

III.1 Limiting Requests per Second

The http_limit_req module uses the leaky bucket principle to limit the number of requests per unit time. When the number of requests exceeds the limit, it returns a 503 error. The configuration settings for this module are:

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
    server {
        location ~ \.php$ {
            limit_req zone=one burst=5 nodelay;
        }
    }
}

In this configuration:

  • $binary_remote_addr is the binary remote address of the client.
  • zone=one:10m defines a zone named “one” with 10M of memory allocated to store session information.
  • rate=10r/s limits the frequency of requests per second to 10.
  • burst=5 allows the number of requests to exceed the frequency limit by up to 5 requests within a 15-second window.
  • nodelay requests are not delayed when the rate limit is exceeded.

III.2 Limiting IP Connections

The http_limit_conn module limits the number of connections from a single IP address. The configuration settings for this module are:

http {
    limit_conn_zone $binary_remote_addr zone=addr:10m;
    server {
        location /download/ {
            limit_conn addr 1;
        }
    }
}

In this configuration:

  • $binary_remote_addr is the binary remote address of the client.
  • zone=addr:10m defines a zone named “addr” with 10M of memory allocated to store session information.
  • limit_conn addr 1 limits the number of connections from a single IP address to 1.

IV. Whitelist Setting

When using a load balancer or reverse proxy, we need to whitelist the IP addresses of the load balancer or reverse proxy to prevent them from being limited by the http_limit_conn and http_limit_req modules. We can use the geo module to define a whitelist:

geo $whitelist {
    default 1;
    10.11.15.161 0;
}

map $whitelist $limit {
    1 $binary_remote_addr;
    0 "";
}

limit_req_zone $limit zone=one:10m rate=10r/s;
limit_conn_zone $limit zone=addr:10m;

In this configuration:

  • $whitelist is a variable that defines the whitelist.
  • $limit is a variable that determines whether an IP address is in the whitelist.
  • limit_req_zone $limit zone=one:10m rate=10r/s limits the number of requests per second for IP addresses not in the whitelist.
  • limit_conn_zone $limit zone=addr:10m limits the number of connections from IP addresses not in the whitelist.

V. Testing

To test the effectiveness of the http_limit_conn and http_limit_req modules, we can use the ab command to simulate a CC (Connection Count) attack:

ab -n -c concurrent requests http://10.11.15.174/i.php

When the reception is blocked, it will return a 503 error, and the error log will indicate that the number of connections is limited.

VI. Other Anti-DDOS Methods

In addition to the http_limit_conn and http_limit_req modules, there are other anti-DDOS methods available, including:

  • ModSecurity: an application-layer WAF that can detect and prevent attacks.
  • ngx_lua_waf: a web application firewall based on the Lua programming language.
  • http_guard: a module based on openresty that can detect and prevent attacks.
  • fail2ban: a software that analyzes log files to detect and prevent attacks.
  • Iptables: a firewall that can be used to block malicious traffic.

Conclusion

DDOS attacks are a significant concern for online services, and implementing defense mechanisms is crucial to prevent service disruptions. The http_limit_conn and http_limit_req modules in Nginx can help defend against DDOS attacks by limiting the number of connections and requests per second from a single IP address. By configuring these modules and implementing other anti-DDOS methods, we can protect our online services from DDOS attacks.