usefulz edited this page Dec 22, 2013 · 4 revisions

nginx_dosdetector

An nginx module for detecting DoS attacks. This is a porting of mod_dosdetector for nginx.

Install

Install ngx_dosdetector

cd {$nginx_src_dir}
./configure --add-module=${ngx_dosdetector_src_dir}
make
sudo make install

Quick Start

Add following configuration to some context(http,server) in nginx.conf and start Nginx.

dos_detector on;
dos_threshold 2000;
dos_hard_threshold 10000;
dos_period 50;
dos_hard_period 300;
dos_table_size 500;
dos_forwarded on;
dos_ignore_content_type "image/*";

Directives

dos_detector

Syntax dos_detector on OR off
Default off
Context http,server

This directive sets whether ngx_dosdetector is enabled.

dos_threshold

Syntax dos_threshold $threshold
Default 10000
Context http,server

This directive sets the threshold whether reserve of Dos attack

dos_hard_threshold

Syntax dos_hard_threshold $hard_threshold
Default 20000
Context http,server

This directive sets the threshold whether Dos attacks

dos_period

Syntax dos_period $period
Default 10
Context http,server

This directive sets the period to hold state after detecting reserve of Dos attack

dos_hard_period

Syntax dos_hard_period $hard_period
Default 300
Context http,server

This directive sets the period to hold state after detecting of Dos attack

dos_table_size

Syntax dos_table_size $table_size
Default 300
Context http,server

This directive sets the table size for saving ip addresses of clients.

dos_forwarded

Syntax dos_forwarded on OR off
Default off
Context http,server

This directive sets whether using a remote ip address in X-Forwarded-for header is enabled.

dos_ignore_content_type

Syntax dos_ingre_content_type $ignore_content_type
Default
Context http,server

This directive sets the content-type of string or regular expression for ignoring DoS detection.

Action when detecting DoS attacks

When ngx_dosdetector detects a reserve DoS attack, it outputs an error message to an error.log. When it detects a DoS attack, it returns 444 (FIN packet).

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.