Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
DDoS protection solutions for LEB?
New on LowEndTalk? Please Register and read our Community Rules.

DDoS protection solutions for LEB?

sonicsonic Member
edited August 2011 in General

Please share your though, how to prevent Nginx web server from Ddos attack?

Shared: Smallweb | VPS: NexusBytes, HostHatch, VirMach, InceptionHosting
Gapps legacy 100/200 users cheap 4 sale. PM

Comments

  • KuJoeKuJoe Member, Provider

    Nothing you run on your LEB will mitigate a DDoS attack... EVER. You need to purchase something that will stand between you and the attack such as a hardware firewall, dedicated server running squid, or a third party DDoS mitigation service.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
    Need backup space? Check out BackupDragon
  • There are actually quite a few different types of denial of service attacks. There are some working on the application protocol level. For example constantly hitting the heavy pages of your website. Not a lot of bandwidth is required to attach your website, and your site would probably die from overloaded CPU or IO subsystem.

    LowEndBox.com got attacked that way a few times, and it's possible to block them with Nginx. Shut down the browser and you'll regain the control of the server. Analyse the logs to work out the attack vectors, and then block them explicitly in your config. Restart the server and you are good to go (until the attacker changes the strategy again).

    However for massive flood of TCP/UDP or ICMP packets, there's probably nothing you can on from your VPS and requires the upstream to block some of these packets explicitly.

    Blog at LowEndBox.com.

  • Go59954Go59954 Member
    edited August 2011

    I was able to kill many DDoS attack/abuse, using htaccess IP block, another method I use software-based wasn't able to mitigate it most of the time, but htaccess almost always did! Apache sometimes makes me love it even though it eats RAM a lot, sometimes it does sorts of magic I guess with htaccess IP block.. At once I had an abuse type opening URLs tens of times each second, to the extent the whole VPS wasn't accessible for me, I didn't bother since I have HyperVM control panel and used its file editor, once I opened the log and figured which IP, added it to htaccess as blocked, everything went back just normal at the same second I saved the htaccess, without needing to even restart my server!

    ☻☻ VPS ☺ as of now:- 384-256-128-512x2 ☺☺

  • I dont know what type, when i run:
    netstat -an |grep :80 |wc -l

    It shows ~ 8k connections. When i see access_log, all of them were faked as Google bot, they load all my site tag, ex: http://domain.com/tag

    Shared: Smallweb | VPS: NexusBytes, HostHatch, VirMach, InceptionHosting
    Gapps legacy 100/200 users cheap 4 sale. PM

  • Block requests to /tag if that's what they are hitting with their GET flood attack.

    FreeVPS.us - The oldest post to host VPS provider
  • @dmmcintyre3: How to block request to /tag? I'm running LNMP on 512 MB Ram VPS

    Shared: Smallweb | VPS: NexusBytes, HostHatch, VirMach, InceptionHosting
    Gapps legacy 100/200 users cheap 4 sale. PM

  • dmmcintyre3dmmcintyre3 Member
    edited August 2011

    Add this to your config file for the site being attacked.

    location /tag {
        deny all;
    }
    Thanked by 1sonic
    FreeVPS.us - The oldest post to host VPS provider
  • @sonix I use return 444; to block requests with nginx.

  • @dmmcintyre3: it's really helpful to me :D
    @Keith: how to do, please give me more details cos i'm noob at this :D

    Shared: Smallweb | VPS: NexusBytes, HostHatch, VirMach, InceptionHosting
    Gapps legacy 100/200 users cheap 4 sale. PM

  • @sonic blocking either by location or user agent if you can uniquely identify the bot from a sub-string of the user agent.

    location / {
        location /tag {
            return 444;
        }
        if ($http_user_agent ~* "(Morfeus|larbin|ZmEu|Toata|DDOSbotname-changeme)" ) {
            return 444;
        }
    }
    

    4 other user agents worth blocking also included.

  • All user agent is Mozilla :D

    Shared: Smallweb | VPS: NexusBytes, HostHatch, VirMach, InceptionHosting
    Gapps legacy 100/200 users cheap 4 sale. PM

  • @sonix You will have to block just by location then.

    Access by numeric ip can be blocked with nginx if that's how it's been done

    Only allowing access by host name.

    Thanked by 1sonic
  • drmikedrmike Member
    edited August 2011

    Having a kick ass legal department is as big plus as well. Last time we had a DDoS, the idiot who set it up used all Comcast and RR IP addresses. (Which is why I use the word idiot in there. One of the first things you learn about setting up a correct DDoS attack is never use the same network.) While I'm not a fan of either of those companies, they do listen to C&Ds. :)

    edit: That's one of the pluses of analyzing the attack as mentioned up above.

Sign In or Register to comment.