Who better to ban?

IPv42014-12-02 21:10:55

linux

IPv4, 2014-12-02 21:10:55

Who better to ban?

Hello comrades.
Interested in the following question: How do you deal with http flood on the server?
I found several ways for myself:
1) Analysis of nginx logs and blocking the most "annoying" visitors (bots). Minus - the load when reading the logs and, anyway, the load remains, because it continues to bomb the server even in an error.
2) Restriction on the number of connections from one IP at the nginx level. Minus - they continue to bomb the server and some kind, but there is a load. Even from stubs and error 444.
3) Restriction on the number of connections from one IP at the iptables level. Minus - the load on the server firewall.
4) Analysis of netstat and further blocking of bots with a large number of connections. Minus - the load on the server firewall.
5) Country restriction in nginx/iptables. Cons are the same as above.
In general, a question. Who better to ban so that the load is smaller?
Suggest interesting options, please. Write how you deal with such attacks?

Answer the question

In order to leave comments, you need to log in

7 answer(s)

Max, 2014-12-02
@AloneCoder

Raise the tarantool and calculate in real time by session Divide into
groups, those who parse stupidly without a timeout - ban for N requests per minute,
those who parse with a timeout - ban for M requests per hour
operator
Well, or don't ban, but show the captcha on a separate
UPD page. Comments to the answer apparently fell off on the toaster)
Yes, this is a nosql database from mail.ru
https://github.com/tarantool/tarantool
tarantool.org/doc/user_guide - docks

Ilya Evseev, 2014-12-03
@IlyaEvseev

1) It is possible and necessary to detect and ban at several levels.
Detect brute-force attacks with the ss command (not netsat!).
Do unconditional blocking through ipset (not iptables!).
Through nginx, detect cunning attacks, block suspicious ones.
2) As a starting point, search Google for "site:habrahabr.ru nginx ipset".
I especially recommend habrahabr.ru/post/139931
3) Do not try to immediately build the perfect defense.
Start with the simplest and gradually improve.
4) If you are not a cool antiddos specialist, absolute security is unattainable. You can only increase the penetration threshold.

Ergil Osin, 2014-12-03
@Ernillew

> Restricting countries in nginx/iptables. Cons are the same as above.
And you do not drive countries into iptables, what did smart people come up with for you?

Vlad Zhivotnev, 2014-12-03
@inkvizitor68sl

It is best to ban on the gateway (on the network, in the sense). It's more economical that way.

IPv4, 2014-12-03
@IPv4

AloneCoder : Is there any documentation? And what is it, in general? And then I stumble upon SUDB from mail.ru.
Sorry for not being under your comment. Something under the comments does not write at all.

Fader, 2014-12-05
@Fader

using fail2ban

metajiji, 2015-01-07
@metajiji

1. analyze logs through fail2ban , performance will be satisfactory.
2,3,4,5 the load on the server can be greatly reduced when using ipset
If ip addresses or networks (it is better to ban entire networks at once - the load is less) are known and will not change for a long time, it makes sense to use route blackhole :
For example:
This option is also acceptable if the firewall is not available. You can generally use only this option, without ipset+iptables . Naturally, it would be nice to make some script to summarize the added Ip.
I also want to note about netstat , use ss insteadit will also show better results than netstat .