29 messages in ru.sysoev.nginxRe: DDoS protection module suggestion| From | Sent On | Attachments |
|---|---|---|
| malte | Nov 2, 2010 7:18 pm | |
| Weibin Yao | Nov 2, 2010 7:54 pm | |
| malte | Nov 2, 2010 8:21 pm | |
| pchy...@gmail.com | Nov 2, 2010 8:57 pm | |
| malte | Nov 3, 2010 2:00 pm | |
| unclepieman | Nov 3, 2010 2:14 pm | |
| Rainer Duffner | Nov 3, 2010 2:38 pm | |
| malte | Nov 3, 2010 7:22 pm | |
| malte | Nov 3, 2010 7:30 pm | |
| Redd Vinylene | Nov 4, 2010 1:48 am | |
| malte | Nov 4, 2010 12:47 pm | |
| Weibin Yao | Nov 4, 2010 7:17 pm | |
| Payam Chychi | Nov 4, 2010 9:03 pm | |
| Weibin Yao | Nov 4, 2010 10:02 pm | |
| malte | Nov 4, 2010 10:58 pm | |
| Payam Chychi | Nov 5, 2010 12:29 am | |
| Weibin Yao | Nov 5, 2010 2:32 am | |
| Weibin Yao | Nov 5, 2010 2:51 am | |
| Eugaia | Nov 5, 2010 3:36 am | |
| 姚伟斌 | Nov 5, 2010 5:47 am | |
| malte | Nov 5, 2010 9:10 am | |
| malte | Nov 5, 2010 9:15 am | |
| Payam Chychi | Nov 5, 2010 10:02 am | |
| malte | Nov 5, 2010 2:51 pm | |
| malte | Nov 5, 2010 2:52 pm | |
| 姚伟斌 | Nov 5, 2010 6:44 pm | |
| ken107 | Dec 26, 2010 1:48 am | |
| Weibin Yao | Dec 26, 2010 6:25 pm | |
| Waleed G. | Mar 25, 2012 10:03 am |
| Subject: | Re: DDoS protection module suggestion | |
|---|---|---|
| From: | Weibin Yao (nbub...@gmail.com) | |
| Date: | Nov 4, 2010 7:17:50 pm | |
| List: | ru.sysoev.nginx | |
malte at 2010-11-5 3:47 wrote:
Redd Vinylene Wrote:
-------------------------------------------------------
Just real quick:
What about one of the BSDs and pf? The latter is said to be the world's best firewall. Real elegant syntax too:
block quick from
pass in on $ext_if inet proto tcp from any to any port 80 keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush global)
That takes care of all my DDoS protection needs. Some of y'all mentioned big guns though, I don't know about that.
OpenBSDs PF is indeed the worlds finest software based firewall, I'll be the first to say. I think Linux should throw out IP tables and go for a PF port, but I digress.
I haven't tried mitigating a big DDoS with PF, and I don't know if it would fare any better once it has say 50k individual IPs to block. But to me that is kind of beside the point. If I am not mistaken, a well written nginx module would be the immensely helpful when faced with the kind of DDoS I had on me last week.
If I can't find anyone interested in writing it I might have a whack at it myself next time I get some spare time.
We are facing the similar DDOS situation to you. I'm developing a module which can deny the individual IPs. The module can get the IPs with a POST request from a commander server in the intranet. If you have some suggestions, you can contact to me.
The module will be here: https://github.com/yaoweibin/nginx_limit_access_module, but I need some more days to finish it.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,147105,147721#msg-147721
_______________________________________________ nginx mailing list ngi...@nginx.org http://nginx.org/mailman/listinfo/nginx
-- Weibin Yao
_______________________________________________ nginx mailing list ngi...@nginx.org http://nginx.org/mailman/listinfo/nginx