Question : To limit number of open simultaneous / concurrent connections to a file in a real world DDoS scenario #9
Comments
|
In your config, the limit 500m is for per request_uri not for the whole server. |
|
Thanks yes oops what it the correct way to limit it for the entire server ? would replacing it with maybe $host do the trick ? |
|
Does work but appears to be ignoring my original limit_rate settings. So now max output per download has become 2-5mb/s (not a bad thing since when the server hits the max capacity that limit will start decreasing. The limit_traffic_rate also does not allow you to use it more than once per location or you get a duplicate error I found out since I tried to enforce my 1mb limiting still using your module. Get a duplicate error if you try and use the directive more than once in the same location. |
So in a DDoS scenario the config can be the following.
My above config would be good for a single IP or few IP's that would be spamming / flooding the mp4 files on the server but would not hold up against a real larger DDoS.
The real world scenario : An attacker could have over 1000 machines connections to hit you with.
The way they could easily bypass the above is all 1000 machines connect to download a file at the same time and they don't spam / flood the requests since if they did that they would be blocked and served the 503 status code instead they just keep the connection open to download that file they request at 1mb a second X by 1000 machines would mean your servers 1Gig port is maxed out now (Successful attack) when they finished downloading the file they instantly open it again and repeat constantly consuming the bandwidth, Because 1 IP per machine is accessing the file none of them have the same IP and they are not spamming or flooding to trigger the limit blocks they easily bypass the firewall.
A possible way to fix the above is to use limit_conn with $uri or $request_uri to limit simultaneous connections to download a single file at once.
The above added code :
Would make it so only 1 person may access that particular file URL at a time. (Still not good enough) they could adapt to instead of spamming / flooding or slow-loris opening a single file on a mass scale to bypass the above solution via opening different mp4 URL's simultaneously if each of the 1000 IP's connect and all open a different file back to square one.
How your module could save the day! 👍
So with the above is my understanding correct that your module could fix all the issues listed above by no matter how many downloads over how ever many different MP4 file URL's are taking place simultaneously your module will not let the max bandwidth output be more than Half of the servers 1Gig port capacity.
Or is the above config wrong for your module and would result in only limiting per file ($request_uri) still ?
I didn't write the above to poke holes or flaws out etc, I do so to help and make things better and solve / address potential problems (if any) sorry for the lengthy post. Think its a great module with allot of potential and I strive to maximize its potential 👍
The text was updated successfully, but these errors were encountered: