DDoS protection

From ISPWiki
Jump to: navigation, search

The ngx_http_limit_req_module module allows to limit the rate of requests by the specified key, in this case from the client IP address

Anti-ddos3.png
Anti-ddos4.png

Configuration example

   http {
       limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
       server {
           location /search/ {
               limit_req zone=one burst=5;
           }

Specifies a shared memory size (zone=one) and Maximum peak attack size (burst). If you exceed the rate limit specified in the zone (rate=1r/s), requests will be delayed and processed with the specified rate. Extra requests are delayed until their number exceed the maximum peak. The request is terminated with error 503 (Service Temporarily Unavailable). By default, the maximum peak attack is 0.


There can be about 16,000 states in a 1MB zone. If there are more states, the server will return error 503 (Service Temporarily Unavailable).

The rate is specified in requests per second (r/s).

To enable DDoS protection, navigate to the WWW-domain edit form and select the "Enable DDoS protection " check box. Enter required values into the "Requests per second" and "Maximum peak attack size" fields.

After you have saved the changes, the following record will be created in the $HOME_NGINX/conf.d/isplimitreq.conf file:

limit_req_zone $binary_remote_addr zone=example.com:128k rate=2r/s;

where

   zone - the name of a shared memory zone based on the WWW-donain's name;
   zone size  (128к) is calculated as follows: "requests rate" * 64к;
   rate - the value  from the  "Requests per second" field.

The following $HOME_NGINX/vhost-resources/DOMAIN_NAME/reqlimit.conf file will be created:

   limit_req zone=example.com burst=3;
   error_page 503 =429 @blacklist;

where

   zone - the name of The zone specified in the previous configuration file;
   burst -  the value  from the "Maximum peak attack size" field;
   @blacklist - the name of the location for redirect in case of error  503 (if the maximum number of requests from a certain IP  address has been exceeded).  

The following $HOME_NGINX/vhost-includes/blacklist-nginx.conf file will be created, (e.g. like this):

location @blacklist {

       proxy_redirect off ;
       proxy_pass https://IPADDRESS;
       rewrite (.*) /mancgi/ddos break;
               proxy_set_header Host $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Proto $scheme;

}

where

   IPADDRESS - IP-address and port that IHTTPD listens. After changing the panel address, the new address and port will be overwritten in this file. 
   If IHTTPD listens to any IP address, any valid IP address configured on the server, will be selected. 

When the rate limit is exceeded, the IP address from which requests are sent, will be passed to the /mancgi/ddos script, which will blaclist it for 5 minutes. The following record will be added into the $HOME_MGR/var/ddos.log log file:

WARNING Address (xxx.xxx.xxx.xxx) is blacklisted

IP addresses are blacklisted using iptables (ip6tables for IPv6) and ipset.

Note: ipset is not available on OpenVZ. Therefor, you can use only tools provided by Nginx

The followig rule-chain is created in iptables

DROP       all  --  anywhere             anywhere            match-set ispmgr_limit_req src 

It is associated with the list name from ipset - ispmgr_limit_req (for IPv6 - ispmgr_limit_req6)

in ipset ispmgr_limit_req and ispmgr_limit_req6 are created with the following parameters: hash:ip (only IP addresses are kept in the list) and timeout 300 (string keeping time is 5 minutes).

To check contents of the list, execute the ipset -L ispmgr_limit_req command. The "Members" filed of the command output will show blacklisted IPs and time until unblocking.

In order to change timeout, complete the following steps:

1. Add the following records into ispmgr.conf

isp_limitreq_timeout number of seconds

2. In iptables find the number of the ispmgr_limit_req src rule:

iptables -L INPUT --line-numbers

and delete it:

iptables -D INPUT string number

3. In ip6tables find the number of the ispmgr_limit_req6 src rule:

ip6tables -L INPUT --line-numbers

and delete it:

ip6tables -D INPUT string number 

4. Delete rules from ipset:

ipset destroy ispmgr_limit_req
ipset destroy ispmgr_limit_req6

And execute the command:

sbin/mgrctl -m ispmgr firewall