Bartlomiej Syryjczyk | 1 Jul 09:52 2008

Re: Protecting nginx from syn flood and DOS vs legit heavy traffic


Rt Ibmer pisze:
| We are using nginx as a public web server and need to do good common
sense things to try and limit or prevent syn floods and related types of
DOS attacks.
|
| I've researched iptables extensively and have found a lot of info on
how to use it to limit syn floods and so forth.
|
| However these articles do not explain how to apply these iptable
restrictions to public web servers that get very large amounts of
traffic.  So I am hoping others here can share how they are using
iptables, because I am concerned that I will inadvertently block good
traffic!
|
| For instance, consider a case whereby a huge company with thousands of
employees that all share one public IP when accessing the internet.
Further, consider that everyone in the company gets an email that says
to go to our site and review some web pages.
|
| In this scenario it is possible we could have a few thousand requests
coming in all at the same time from the same IP, but be legitimate
requests.  So I have to be very careful with the rules that can try (if
possible?) to tell the difference between heavy traffic from the same IP
(as in this scenario) vs. some bot hammering on the server.
|
| As another example, from the syn flood iptable rules I've seen I can't
tell whether it is possible to detect the difference between syn packets
that are purposeful vs a large number of syn packets for new connections
that are rushing in but legitimate.
|
| Also as a side question - if a request comes in to nginx and nginx
then uses proxy_pass to talk to an external server that handles the
request, am I right to assume that as far as iptables is concerned this
is an INPUT and not a FORWARD? In the case where we only want the public
to access the nginx server is there ever a case where we may
legitimately want to take FORWARD requests or should these all be blocked?
|
| I would GREATLY appreciate you sharing your thoughts on how to address
this and approaches you have taken that may apply in this case too.
|
| For reference I am using the latest nginx 6 on Fedora 8 core.
How do you limit the SYN packets (show your iptables rules)? Are you
tried TCP SYN Proxy? pf from OpenBSD is good tool for that
(http://openbsd.org/faq/pf/filter.html#synproxy).

--
Bartłomiej Syryjczyk

Gmane