Results 1 to 16 of 16
  1. #1
    Join Date
    Feb 2011
    Posts
    36

    Howto using Nginx anti ddos proxy? Help me!

    My servers are being ddos attacks by proxy, proxy flood much to my server. I need people to a detailed guide to use nginx to solve this problem. I use nginx as reverse. Thank you very much.

  2. #2
    Join Date
    May 2011
    Location
    New York, USA
    Posts
    4,019
    Do you have any sort of firewall setup?
    - Nexus Bytes LLC- Ryzen powered NVME VPS and web hosting, packed with perks and love!
    - Entry Bytes - Affordable VPS Cheap quality
    - USA (NYC | Miami | LA) | Europe (London, UK | Naaldwijk, NL) | Asia Pacific (Singapore | Japan | Australia)

  3. #3
    Join Date
    Feb 2011
    Posts
    36
    Quote Originally Posted by SeriesN View Post
    Do you have any sort of firewall setup?
    no, i have . i wuant config only nginx.

  4. #4
    Join Date
    May 2011
    Location
    New York, USA
    Posts
    4,019
    Without firewall I do not think nginx alone can do simething cause you need a way to block the attack not just pushing it back.

  5. #5
    Join Date
    Feb 2011
    Posts
    36
    Quote Originally Posted by SeriesN View Post
    Without firewall I do not think nginx alone can do simething cause you need a way to block the attack not just pushing it back.
    i have try csf firewall but not effects.My servers still down, I see a few other servers using nginx is more effective.Would you please help me solve this problem. I'm being attacked proxy proxy huge quantities. Block ip not resolve the problem.

  6. #6
    Join Date
    Aug 2010
    Location
    Prague, Czech Republic
    Posts
    404
    Do you know what kind of DDoS you have?
    Supportex.Net server management, full range of services. EU-based outsourced company. Since 1998.
    Outstanding quality for high performance projects; clustering and high-availability solutions, DDoS protection.
    Cisco/Juniper network management & deployment assistance. Network design and monitoring.

  7. #7
    Join Date
    Feb 2011
    Posts
    36
    Quote Originally Posted by barbus View Post
    Do you know what kind of DDoS you have?
    http flooder. attacker load more proxy and attack via port 80.

  8. #8
    Join Date
    Aug 2010
    Location
    Prague, Czech Republic
    Posts
    404
    What about bandwidth?
    Supportex.Net server management, full range of services. EU-based outsourced company. Since 1998.
    Outstanding quality for high performance projects; clustering and high-availability solutions, DDoS protection.
    Cisco/Juniper network management & deployment assistance. Network design and monitoring.

  9. #9
    Join Date
    Feb 2011
    Posts
    36
    Quote Originally Posted by barbus View Post
    What about bandwidth?
    my bandwidth greatly increased

  10. #10
    Join Date
    Aug 2010
    Location
    Prague, Czech Republic
    Posts
    404
    Do you have any numbers related to the current bandwidth?
    Supportex.Net server management, full range of services. EU-based outsourced company. Since 1998.
    Outstanding quality for high performance projects; clustering and high-availability solutions, DDoS protection.
    Cisco/Juniper network management & deployment assistance. Network design and monitoring.

  11. #11
    Join Date
    Feb 2011
    Posts
    36
    Quote Originally Posted by barbus View Post
    Do you have any numbers related to the current bandwidth?
    After each attack, my bandwidth increased about 500-600M

  12. #12
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,180
    You won't be able to block 600+Mbit with NGINX. If you've got good hardware and an uplink of at least 1Gbit, it would be possible to block this with LiteSpeed and a proper configuration.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  13. #13
    Join Date
    Feb 2011
    Posts
    36
    Quote Originally Posted by infinitnet View Post
    You won't be able to block 600+Mbit with NGINX. If you've got good hardware and an uplink of at least 1Gbit, it would be possible to block this with LiteSpeed and a proper configuration.
    Sorry for the confusion above, I come from VietNam language do you misunderstood my idea. My servers are not subject to 600Mbit simultaneously at the same time.Latest features observed from my visit to that, the packet size 1000B and from many different ip. At the end of my attacks of loss of 600M bandwidth. 600M not take the same time. Can you guide me more to use LiteSpeed ​​solve this problem?
    Thank you very much!

  14. #14
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,180
    Okay, if it's only a small bandwidth attacks, it might work with an NGINX Reverse Proxy. On the server running NGINX, save the following script as ddos.rb and run it with "ruby ddos.rb":

    Code:
    #!/usr/bin/env ruby
    # Attack v1 (xd-mod) - A Threaded (D)aemonisied (D)DoS-Deflate alternative written in Ruby for IPtables
    
    require 'logger'
     
    class Attack
            CONNECTION_LIMIT = 25
            FREQUENCY = 20
            FIREWALL = "/usr/bin/iptables"
            LOG_FILE = "ddos.log"
            WHITELIST = %w{ 127.0.0.1 }
    def initialize
            @connections = `netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n`
            @log = Logger.new(LOG_FILE)
            daemonize
            loop do
            run
            sleep(FREQUENCY)
            end
            end
            def check(connections)
            connections.each { |connection|
            conn, ip = connection.split
            if conn.to_i > CONNECTION_LIMIT and not WHITELIST.include? ip
            `#{FIREWALL} -I INPUT -s #{ip} -j DROP`
            @log.info "[IPT] Dropped -> #{ip} with -> #{conn} connections .."
            end
            }
            end
    def run
            Thread.new {
            check @connections
            @log.info "[IPT] Checked connections at -> #{Time.now} .."
            }.join
            end
            protected
            def daemonize
            exit if fork
            Process.setsid
            exit if fork
            Dir.chdir "/"
            File.umask 0000
            STDIN.reopen "/dev/null"
            STDOUT.reopen "/dev/null", "a"
            STDERR.reopen STDOUT
            trap("TERM") {
            exit
            }
            end
    end
    Attack.new
    This will block IPs with more than 25 concurrent connections using IPTables. Also change the NGINX workers in your NGINX config from 1 to the number of CPUs your Reverse Proxy server has, like 4 for a quad core and restart NGINX.

    Add the following kernel settings to your /etc/sysctl.conf and execute "sysctl -p":

    Code:
    net.ipv4.tcp_syncookies = 1
    net.core.somaxconn = 1024
    net.ipv4.tcp_syn_retries = 1
    net.ipv4.tcp_synack_retries = 1
    net.ipv4.tcp_keepalive_intvl = 5
    net.ipv4.tcp_keepalive_probes = 1
    net.ipv4.tcp_keepalive_time = 30
    net.ipv4.tcp_fin_timeout = 20
    net.ipv4.tcp_timestamps = 0
    If that solution doesn't work, you will need to forget about your reverse proxy and switch your web server's web server to LiteSpeed, install fail2ban with a custom regex, use this script ruby too and also the kernel settings.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  15. #15
    Join Date
    Feb 2011
    Posts
    36
    Quote Originally Posted by infinitnet View Post
    Okay, if it's only a small bandwidth attacks, it might work with an NGINX Reverse Proxy. On the server running NGINX, save the following script as ddos.rb and run it with "ruby ddos.rb":

    Code:
    #!/usr/bin/env ruby
    # Attack v1 (xd-mod) - A Threaded (D)aemonisied (D)DoS-Deflate alternative written in Ruby for IPtables
    
    require 'logger'
     
    class Attack
            CONNECTION_LIMIT = 25
            FREQUENCY = 20
            FIREWALL = "/usr/bin/iptables"
            LOG_FILE = "ddos.log"
            WHITELIST = %w{ 127.0.0.1 }
    def initialize
            @connections = `netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n`
            @log = Logger.new(LOG_FILE)
            daemonize
            loop do
            run
            sleep(FREQUENCY)
            end
            end
            def check(connections)
            connections.each { |connection|
            conn, ip = connection.split
            if conn.to_i > CONNECTION_LIMIT and not WHITELIST.include? ip
            `#{FIREWALL} -I INPUT -s #{ip} -j DROP`
            @log.info "[IPT] Dropped -> #{ip} with -> #{conn} connections .."
            end
            }
            end
    def run
            Thread.new {
            check @connections
            @log.info "[IPT] Checked connections at -> #{Time.now} .."
            }.join
            end
            protected
            def daemonize
            exit if fork
            Process.setsid
            exit if fork
            Dir.chdir "/"
            File.umask 0000
            STDIN.reopen "/dev/null"
            STDOUT.reopen "/dev/null", "a"
            STDERR.reopen STDOUT
            trap("TERM") {
            exit
            }
            end
    end
    Attack.new
    This will block IPs with more than 25 concurrent connections using IPTables. Also change the NGINX workers in your NGINX config from 1 to the number of CPUs your Reverse Proxy server has, like 4 for a quad core and restart NGINX.

    Add the following kernel settings to your /etc/sysctl.conf and execute "sysctl -p":

    Code:
    net.ipv4.tcp_syncookies = 1
    net.core.somaxconn = 1024
    net.ipv4.tcp_syn_retries = 1
    net.ipv4.tcp_synack_retries = 1
    net.ipv4.tcp_keepalive_intvl = 5
    net.ipv4.tcp_keepalive_probes = 1
    net.ipv4.tcp_keepalive_time = 30
    net.ipv4.tcp_fin_timeout = 20
    net.ipv4.tcp_timestamps = 0
    If that solution doesn't work, you will need to forget about your reverse proxy and switch your web server's web server to LiteSpeed, install fail2ban with a custom regex, use this script ruby too and also the kernel settings.
    The first, thank you very very much.
    The attack I'm having to make apache dow after a few minutes.I just found out about nginx should not really understand it, the reason why I mention nginx because the advice from my friends. I installed nginx admin but when testing, I see the status: Down.I do not know how to start it. If you have free time, I will send you information about my server for you, hope you help.

  16. #16
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,180
    I thought you had an NGINX reverse proxy up and running already with your current setup, sorry. I've sent you a PM.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

Similar Threads

  1. Replies: 0
    Last Post: 10-17-2011, 04:42 AM
  2. NiX API - Total ANTI-FRAUD/ANTI-PROXY API solution for webmasters.
    By GameFrame in forum Other Hosting Offers
    Replies: 0
    Last Post: 06-06-2011, 01:41 PM
  3. Replies: 0
    Last Post: 12-03-2010, 12:18 PM
  4. Replies: 2
    Last Post: 05-25-2010, 09:08 AM
  5. Anti-proxy solution: Maxmind vs zero-proxy
    By joboy84 in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 07-22-2008, 01:45 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •