Nginx – DDoS mitigation / prevention with nginx

ddosnginx

(To work around the "is a duplicate" issue: I don't see many requests. The number is rather small. Instead, each request downloads a lot of data.)

The server I'm talking about has 2×10 GBit/sec of Internet connectivity, with a backend of 40 GBit/sec. It serves around 20 TByte of data to the public, using nginx/vsftpd/rsyncd on a Debian Stable system. In addition, apache2 is used to serve some non-static content, but this can be disregarded.

The hardware is beefy enough to serve up to around 18 GBit/sec (as observed once), and traffic is free. As the server is a mirror of open source software and other public software, there's also not an issue of downtime being a critical problem.

However, I observe a specific pattern of DDoS attack I'd like to stop affecting the server. Whenever the attack is ongoing, most of the DVD ISOs of Debian (around 300 GByte, so way more than what fits in RAM) are downloaded by multiple hosts, with downloads per file repeating. Depending on how organized the attack is, this causes the bandwidth to increase quite a lot, and of course puts some stress on the hardware, while limiting the experience for legitimate users of the server at the same time.

In these attacks, typically 2-3 networks are coordinated in the attack, each downloading files as described. Most of the times it seems one click hosters or file caches of some sort are abused, tricked into downloading the same file over and over – and this being automated to download a number of different files as part of the attack.

Is there any way I can configure nginx to auto-ban certain IP ranges? Or limit traffic rates to, say, 1 GBit/sec for these networks (for some time)?

I don't want to impose a general limit, as the server actually should be used, even for high-speed transfers (mirror to mirror, most likely).

As a remark, a clever attacker, whatever the motivation might be, could start to abuse FTP/RSYNC instead of HTTP, working around the solutions this question might produce.

Currently, when I realize an DDoS attacks is going on, I scan the log files, identify the abusing networks, and ban them manually.

Best Answer

Actually you can use Nginx limit_req module and also Nginx limit_conn

Both modules are able to limit the connections from a specific source and also to limit requests made from IPs, and this in your case may be very helpfull

As per the reuqest, nginx can also be used to limit bandwidth.

location ^~ /videos/ {
...
limit_rate_after 100m;
limit_rate 150k;
...
}

in this example limit_rate_after 100m; nginx will (per each user connection, be aware of this) throttle connection to a max of 150k. So eg if you need to allow up to 100m of full bandwidth and then restrict speed, this can help you.

Be aware that this solution limits nginx download speed per connection, so, if one user opens multiple video files, it will be able to download 150k x the number of times he connected to the video files. If you need to set a limit to the connections, you should be able to do it with limit_zone and limit_conn directives. Example:

Inside your server block configuration:

limit_rate 128K; limit_zone one $binary_remote_addr 10m;

Inside your location block configuration:

limit_conn one 10;

In this example, it would allow 10 connections per IP with 1 Mbit each.

Credits

Related Solutions

Security – DDOS using ntp server

These attacks have been around for ages, they just became popular again the last couple of months. They work like any regular amplification attack: a host spoofs a query so that the source IP address seems to be the targetted host. The NTP server sends its answer to the spoofed address. Since the answer for specific query types can be quite large and usually is UDP, this can quite rapidly become a problem for the targetted host: it's being swamped with NTP packets.

Unfortunately this isn't a vulnerability in NTP servers, it's just a feature which is being abused. One thing to consider is if you need to run NTP servers which can be queried from the entire internet. If that's not needed, create an access list or firewall policy to block queries coming from untrusted sources. Then, what you can do to check if your NTP servers are vulnerable is doing NTP queries from untrusted sources and verify if you get an answer. But unfortunately there are quite a number of NTP servers which are public by intent (e.g. all servers in pool.ntp.org). If you need to run a public NTP server, you can consider implementing query ratelimiting to reduce impact to the targetted host in case of abuse.

Another, more generic part of the solution is that networks need to implement BCP38, which tells them to filter traffic leaving their networks so sending spoofed packets is impossible. Unfortunately, there are still a large number of networks which do not implement this kind of filtering, so all attacks with spoofed source packets (using any protocol like NTP, DNS or chargen) are still possible.

What you can do to mitigate such an attack depends a bit on your network and tools available, but one thing you should consider is blocking incoming NTP packets from untrusted sources (so check which NTP servers you're using). Of course, this doesn't help if your uplink is congested. In that case, you'll need to ask your ISP to help you filter the traffic.

How to mitigate DDOS attacks on AWS

1) Setting Security Group is easy and important layer of security. If you are running any web app than port 80/443 are one that to be open to the world and 22 for accessing server remotely via ssh should be allowed from a particular IP address only. Other than these 3 ports all traffic will be blocked. You can test with Port Scanning or NMAP tool.

2) Limit access for SSH to a your static IP address only and also for accessing EC2 Instance via ssh you need a key. If attacker somehow get to know your IP address he/she cannot access your server without key.

Note :- If you are using CDN(CloudFlare) than your EC2 Static IP is already hidden.

3) You can limit the amount of concurrent connections from the same IP address to your server.

You can use linux firewall rules for that :-

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables-save >/etc/iptables.up.rules

The first line will Watch the IP connecting to your eth0 interface. The second line will Check if the connection is new within the last 60 seconds and if the packet flow is higher than ten and if so it will drop the connection. The third line will Make the rules persistent in case of a reboot.

To verify the number of concurrent connections from all clients that are connected to your server :-

 netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

It will show a list of the current active connections by IP address and the offending IP is usually the one with a high number of connections.

12  10.1.1.1
160 162.19.17.93

In the example above the first number is the number of connections followed by the Originating IP address.

Note :- In a heavily loaded server the number of connections may be above 100, but during DDOS attack the number will go even higher. For an average host, if you have more than 30 connections from a single IP, chances are you are under attack. If more than 5 such IP/Host connected from same network , that's a very clear sign of DDOS attack.

Output of lsof,netstat and tcpdump are very useful in detecting such type of issues.

Now you get the IP address of the client you can use IPtables to block that IP or tcpkill command to do so. TCPKILL is part of dsniff package.

apt-get install dsniff

Then issue :-

tcpkill host x.x.x.x

The above method is good and it will help you to mitigate small DDOS Attack if applied correctly. Now if you are using CDN ( CloudFlare ) than you can block the attacker at that level only. You can use CloudFlare API to block the IP address. In this traffic will not come to you server.

Best Answer

Related Solutions

Security – DDOS using ntp server

How to mitigate DDOS attacks on AWS

Related Topic