hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Howto using Nginx anti ddos proxy? Help me!
Reply

Forum Jump

Howto using Nginx anti ddos proxy? Help me!

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Junior Guru Wannabe
 
Join Date: Feb 2011
Posts: 33

Howto using Nginx anti ddos proxy? Help me!


My servers are being ddos attacks by proxy, proxy flood much to my server. I need people to a detailed guide to use nginx to solve this problem. I use nginx as reverse. Thank you very much.



Sponsored Links
  #2  
Old
Oh, I'm a Gummy Bear,
 
Join Date: May 2011
Location: New York, USA
Posts: 3,584
Do you have any sort of firewall setup?

  #3  
Old
Junior Guru Wannabe
 
Join Date: Feb 2011
Posts: 33
Quote:
Originally Posted by SeriesN View Post
Do you have any sort of firewall setup?
no, i have . i wuant config only nginx.

Sponsored Links
  #4  
Old
Oh, I'm a Gummy Bear,
 
Join Date: May 2011
Location: New York, USA
Posts: 3,584
Without firewall I do not think nginx alone can do simething cause you need a way to block the attack not just pushing it back.

  #5  
Old
Junior Guru Wannabe
 
Join Date: Feb 2011
Posts: 33
Quote:
Originally Posted by SeriesN View Post
Without firewall I do not think nginx alone can do simething cause you need a way to block the attack not just pushing it back.
i have try csf firewall but not effects.My servers still down, I see a few other servers using nginx is more effective.Would you please help me solve this problem. I'm being attacked proxy proxy huge quantities. Block ip not resolve the problem.

  #6  
Old
Aspiring Evangelist
 
Join Date: Aug 2010
Location: Prague, Czech Republic
Posts: 403
Do you know what kind of DDoS you have?

__________________
Supportex.Net server management, full range of services. EU-based outsourced company. Since 1998.
Outstanding quality for high performance projects; clustering and high-availability solutions, DDoS protection.
Cisco/Juniper network management & deployment assistance. Network design and monitoring.

  #7  
Old
Junior Guru Wannabe
 
Join Date: Feb 2011
Posts: 33
Quote:
Originally Posted by barbus View Post
Do you know what kind of DDoS you have?
http flooder. attacker load more proxy and attack via port 80.

  #8  
Old
Aspiring Evangelist
 
Join Date: Aug 2010
Location: Prague, Czech Republic
Posts: 403
What about bandwidth?

__________________
Supportex.Net server management, full range of services. EU-based outsourced company. Since 1998.
Outstanding quality for high performance projects; clustering and high-availability solutions, DDoS protection.
Cisco/Juniper network management & deployment assistance. Network design and monitoring.

  #9  
Old
Junior Guru Wannabe
 
Join Date: Feb 2011
Posts: 33
Quote:
Originally Posted by barbus View Post
What about bandwidth?
my bandwidth greatly increased

  #10  
Old
Aspiring Evangelist
 
Join Date: Aug 2010
Location: Prague, Czech Republic
Posts: 403
Do you have any numbers related to the current bandwidth?

__________________
Supportex.Net server management, full range of services. EU-based outsourced company. Since 1998.
Outstanding quality for high performance projects; clustering and high-availability solutions, DDoS protection.
Cisco/Juniper network management & deployment assistance. Network design and monitoring.

  #11  
Old
Junior Guru Wannabe
 
Join Date: Feb 2011
Posts: 33
Quote:
Originally Posted by barbus View Post
Do you have any numbers related to the current bandwidth?
After each attack, my bandwidth increased about 500-600M

  #12  
Old
Web Hosting Master
 
Join Date: Dec 2011
Location: Germany
Posts: 974
You won't be able to block 600+Mbit with NGINX. If you've got good hardware and an uplink of at least 1Gbit, it would be possible to block this with LiteSpeed and a proper configuration.

__________________
r00t-Services.net | Anti DDoS, WAF, Security, Optimization, Troubleshooting.
In business since 2011 | Contact us: support[at]r00t-services.net
Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  #13  
Old
Junior Guru Wannabe
 
Join Date: Feb 2011
Posts: 33
Quote:
Originally Posted by infinitnet View Post
You won't be able to block 600+Mbit with NGINX. If you've got good hardware and an uplink of at least 1Gbit, it would be possible to block this with LiteSpeed and a proper configuration.
Sorry for the confusion above, I come from VietNam language do you misunderstood my idea. My servers are not subject to 600Mbit simultaneously at the same time.Latest features observed from my visit to that, the packet size 1000B and from many different ip. At the end of my attacks of loss of 600M bandwidth. 600M not take the same time. Can you guide me more to use LiteSpeed ​​solve this problem?
Thank you very much!

  #14  
Old
Web Hosting Master
 
Join Date: Dec 2011
Location: Germany
Posts: 974
Okay, if it's only a small bandwidth attacks, it might work with an NGINX Reverse Proxy. On the server running NGINX, save the following script as ddos.rb and run it with "ruby ddos.rb":

Code:
#!/usr/bin/env ruby
# Attack v1 (xd-mod) - A Threaded (D)aemonisied (D)DoS-Deflate alternative written in Ruby for IPtables

require 'logger'
 
class Attack
        CONNECTION_LIMIT = 25
        FREQUENCY = 20
        FIREWALL = "/usr/bin/iptables"
        LOG_FILE = "ddos.log"
        WHITELIST = %w{ 127.0.0.1 }
def initialize
        @connections = `netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n`
        @log = Logger.new(LOG_FILE)
        daemonize
        loop do
        run
        sleep(FREQUENCY)
        end
        end
        def check(connections)
        connections.each { |connection|
        conn, ip = connection.split
        if conn.to_i > CONNECTION_LIMIT and not WHITELIST.include? ip
        `#{FIREWALL} -I INPUT -s #{ip} -j DROP`
        @log.info "[IPT] Dropped -> #{ip} with -> #{conn} connections .."
        end
        }
        end
def run
        Thread.new {
        check @connections
        @log.info "[IPT] Checked connections at -> #{Time.now} .."
        }.join
        end
        protected
        def daemonize
        exit if fork
        Process.setsid
        exit if fork
        Dir.chdir "/"
        File.umask 0000
        STDIN.reopen "/dev/null"
        STDOUT.reopen "/dev/null", "a"
        STDERR.reopen STDOUT
        trap("TERM") {
        exit
        }
        end
end
Attack.new
This will block IPs with more than 25 concurrent connections using IPTables. Also change the NGINX workers in your NGINX config from 1 to the number of CPUs your Reverse Proxy server has, like 4 for a quad core and restart NGINX.

Add the following kernel settings to your /etc/sysctl.conf and execute "sysctl -p":

Code:
net.ipv4.tcp_syncookies = 1
net.core.somaxconn = 1024
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_keepalive_intvl = 5
net.ipv4.tcp_keepalive_probes = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_timestamps = 0
If that solution doesn't work, you will need to forget about your reverse proxy and switch your web server's web server to LiteSpeed, install fail2ban with a custom regex, use this script ruby too and also the kernel settings.

__________________
r00t-Services.net | Anti DDoS, WAF, Security, Optimization, Troubleshooting.
In business since 2011 | Contact us: support[at]r00t-services.net
Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  #15  
Old
Junior Guru Wannabe
 
Join Date: Feb 2011
Posts: 33
Quote:
Originally Posted by infinitnet View Post
Okay, if it's only a small bandwidth attacks, it might work with an NGINX Reverse Proxy. On the server running NGINX, save the following script as ddos.rb and run it with "ruby ddos.rb":

Code:
#!/usr/bin/env ruby
# Attack v1 (xd-mod) - A Threaded (D)aemonisied (D)DoS-Deflate alternative written in Ruby for IPtables

require 'logger'
 
class Attack
        CONNECTION_LIMIT = 25
        FREQUENCY = 20
        FIREWALL = "/usr/bin/iptables"
        LOG_FILE = "ddos.log"
        WHITELIST = %w{ 127.0.0.1 }
def initialize
        @connections = `netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n`
        @log = Logger.new(LOG_FILE)
        daemonize
        loop do
        run
        sleep(FREQUENCY)
        end
        end
        def check(connections)
        connections.each { |connection|
        conn, ip = connection.split
        if conn.to_i > CONNECTION_LIMIT and not WHITELIST.include? ip
        `#{FIREWALL} -I INPUT -s #{ip} -j DROP`
        @log.info "[IPT] Dropped -> #{ip} with -> #{conn} connections .."
        end
        }
        end
def run
        Thread.new {
        check @connections
        @log.info "[IPT] Checked connections at -> #{Time.now} .."
        }.join
        end
        protected
        def daemonize
        exit if fork
        Process.setsid
        exit if fork
        Dir.chdir "/"
        File.umask 0000
        STDIN.reopen "/dev/null"
        STDOUT.reopen "/dev/null", "a"
        STDERR.reopen STDOUT
        trap("TERM") {
        exit
        }
        end
end
Attack.new
This will block IPs with more than 25 concurrent connections using IPTables. Also change the NGINX workers in your NGINX config from 1 to the number of CPUs your Reverse Proxy server has, like 4 for a quad core and restart NGINX.

Add the following kernel settings to your /etc/sysctl.conf and execute "sysctl -p":

Code:
net.ipv4.tcp_syncookies = 1
net.core.somaxconn = 1024
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_keepalive_intvl = 5
net.ipv4.tcp_keepalive_probes = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_timestamps = 0
If that solution doesn't work, you will need to forget about your reverse proxy and switch your web server's web server to LiteSpeed, install fail2ban with a custom regex, use this script ruby too and also the kernel settings.
The first, thank you very very much.
The attack I'm having to make apache dow after a few minutes.I just found out about nginx should not really understand it, the reason why I mention nginx because the advice from my friends. I installed nginx admin but when testing, I see the status: Down.I do not know how to start it. If you have free time, I will send you information about my server for you, hope you help.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API GameFrame Other Hosting Offers 0 10-17-2011 04:42 AM
NiX API - Total ANTI-FRAUD/ANTI-PROXY API solution for webmasters. GameFrame Other Hosting Offers 0 06-06-2011 01:41 PM
NiX Private Proxy Lists & ANTI-FRAUD/ANTI-SPAM and brute force prevention GameFrame Other Hosting Offers 0 12-03-2010 12:18 PM
Howto: WANPMMF (Nginx+FastCGI+Memcached+MySQLi+PHP+APC) renter007 VPS Hosting 2 05-25-2010 09:08 AM
Anti-proxy solution: Maxmind vs zero-proxy joboy84 Hosting Software and Control Panels 0 07-22-2008 01:45 PM

Related posts from TheWhir.com
Title Type Date Posted
AQUA Networks Limited Listing 2014-10-22 09:46:43
Nginx to be Included in Upcoming Ubuntu Release Web Hosting News 2014-01-08 15:17:12
Nginx Raises $10M to Extend Commercial Support Web Hosting News 2013-10-15 11:20:26
Nginx Releases Version 1.3 with Support for WebSocket Protocol Web Hosting News 2013-02-20 14:43:42
Arbor Networks Adds to Peakflow Hosting Provider Anti-DDoS Platform Web Hosting News 2013-01-10 13:31:21


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?