DDoS attacks are usually intended to paralyze websites and web services and it is better to mitigate it at the firewall level. But for the web server that runs on Nginx, I have prepared a basic step to provide DDoS protection which proved to work for small-scale DDoS attacks and DDoS attacks that aimed at applications. This DDos Attack Tutorial protection for Nginx guidelines has been tested on CentOS 6, CentOS 7, RHEL 7 and Oracle Linux 7. This steps may work on your environment but please note that this guidelines is not an official document and official recommendation from Nginx website.
DDos Attack Tutorial – Implement Basic Protection for Nginx :
1. In /etc/nginx/nginx.conf, include the following parameters :
client_body_buffer_size 128k;
large_client_header_buffers 4 256k;
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;
server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
}
2. Then restart or reload your Nginx service to apply DDoS protection for Nginx :
# /etc/init.d/nginx restart
or
# /etc/init.d/nginx reload
Explanation :
a) Limit the number of connections per single IP :
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
b) Limit the number of requests for a given session :
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;
C) Zone which we want to limit by upper values, we want limit whole server :
server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
}
If your WordPress is under DDoS attack, you will get the following log into Nginx files domain.access.log :
1.2.3.4 - - [25/Mar/2015:16:52:38 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:39 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:39 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:40 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:40 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:41 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:41 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:42 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:42 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:43 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:43 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:44 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:44 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:45 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-" 1.2.3.4 - - [25/Mar/2015:16:52:45 +0800] "POST /wp-login.php HTTP/1.0" 200 6203 "-" "-"
Here is an example of the results after you perform basic DDoS protection for Nginx :
2015/03/28 11:44:33 [error] 22370#0: *71492 limiting connections by zone "conn_limit_per_ip", client: 1.2.3.4, server: www.ehowstuff.com, request: "GET /wp-login.php HTTP/1.0", host: "www.ehowstuff.com" 2015/03/28 11:44:33 [error] 22370#0: *71493 limiting connections by zone "conn_limit_per_ip", client: 1.2.3.4, server: www.ehowstuff.com, request: "GET /wp-login.php HTTP/1.0", host: "www.ehowstuff.com" 2015/03/28 11:44:33 [error] 22370#0: *71494 limiting connections by zone "conn_limit_per_ip", client: 1.2.3.4, server: www.ehowstuff.com, request: "GET /wp-login.php HTTP/1.0", host: "www.ehowstuff.com" 2015/03/28 11:44:33 [error] 22370#0: *71498 limiting connections by zone "conn_limit_per_ip", client: 1.2.3.4, server: www.ehowstuff.com, request: "GET /wp-login.php HTTP/1.0", host: "www.ehowstuff.com" 2015/03/28 11:44:33 [error] 22370#0: *71502 limiting connections by zone "conn_limit_per_ip", client: 1.2.3.4, server: www.ehowstuff.com, request: "GET /wp-login.php HTTP/1.0", host: "www.ehowstuff.com" 2015/03/28 11:44:33 [error] 22370#0: *71506 limiting connections by zone "conn_limit_per_ip", client: 1.2.3.4, server: www.ehowstuff.com, request: "GET /wp-login.php HTTP/1.0", host: "www.ehowstuff.com"
Hope this DDos Attack Tutorial to Implement Basic Protection on NGINX help!!