21 messages in ru.sysoev.nginxRe: DoS attack in the wild
FromSent OnAttachments
luben karavelovJun 19, 2009 11:44 am 
luben karavelovJun 19, 2009 12:09 pm 
Cliff WellsJun 19, 2009 12:22 pm 
Cliff WellsJun 19, 2009 12:30 pm 
Cliff WellsJun 19, 2009 12:39 pm 
Neelesh GurjarJun 19, 2009 1:09 pm 
Jérôme LoyetJun 19, 2009 1:19 pm 
E. JohnsonJun 19, 2009 1:23 pm 
Cliff WellsJun 19, 2009 1:51 pm 
w3wsrmnJun 19, 2009 5:09 pm 
Igor SysoevJun 20, 2009 1:53 am 
Igor SysoevJun 20, 2009 1:58 am 
luben karavelovJun 20, 2009 5:33 am 
Igor SysoevJun 20, 2009 5:41 am 
Igor SysoevJun 20, 2009 5:50 am 
Weibin YaoJun 22, 2009 3:51 am 
IstvánJun 22, 2009 5:40 am 
Weibin YaoJun 22, 2009 7:33 pm 
IstvánJun 23, 2009 12:46 am 
Weibin YaoJun 23, 2009 1:08 am 
IstvánJun 23, 2009 2:22 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: DoS attack in the wildActions...
From:luben karavelov (lub@unixsol.org)
Date:Jun 19, 2009 12:09:11 pm
List:ru.sysoev.nginx

luben karavelov wrote:

A DoS attack against number of http servers is available and has hit slashdot today: http://it.slashdot.org/story/09/06/19/1243203/Attack-On-a-Significant-Flaw-In-Apache-Released

Out of the box nginx is also vulnerable (I have tested it on latest 0.7 installation). A quick fix for the vulnerability follows:

Put in "http" section:

client_body_timeout 10; client_header_timeout 10; keepalive_timeout 10; send_timeout 10; limit_zone limit_per_ip $binary_remote_addr 1m;

and put in "server" section :

limit_conn limit_per 16;

The last 2 configuration lines are for limiting connections per client IP. This fist lines are same sane connection timeouts.

Best regards and keep the great work!

If you process some large uploads or the page generation gets over 10 seconds you could raise the timeouts. Actually the fix is the last lines: limiting the connection number per client IP

Luben