0

An attacker tweaks xerxes by setting the number of CONNECTIONS in xerxes to 1 instead of 8, like so:

#define CONNECTIONS 1

They then attack with xerxes-executable mydomain 433. Their strategy is to use eight time less connections from each attacking IP / machine and to launch a distributed attack from the eight times larger number or machines.

Does rate-limiting in nginx.conf has any sense in the case of such attack? How might I rate limit such adversary in nginx.conf?

What are other manual ways of mitigating such attack?

In what way the connections of the attacker stand out, having in mind not only mitigation but also forensics, in comparison with the regular requests?

Improve this question

1 Answer 1

Reset to default
2

Does rate-limiting in nginx.conf has any sense in the case of such attack?

I'm not sure if the request limiting in nginx can be applied in the first place, since no actual request is sent by the attacker. Instead only a TCP connect is done and then it trickles single byte \0, but never sends an actual HTTP request. The hope is to keep the connection open until the server closes it because of some timeout or because it is obviously junk (which can be seen on the first byte already). Once the connection is closed by the server it will be opened again by the tool.

In general the capabilities of nginx here are limited since it is designed primarily as a web server and not as DDoS protection system. It can apply some application level limits, like limiting the number of requests per time (which is not the same as the number of TCP connections) or detect slowloris like attacks by requiring the HTTP request to be finished within a specific time.

Against the particular attack you mention, TCP level filtering is sufficient though and can be better and with less resources done outside of nginx, for example with iptables. The conntrack and limit modules allow to restrict the number of parallel connections from an IP address and how much new connections can be created within a specific time - see Limit max connections per IP address and new connections per second with iptables.

Improve this answer
4
  • If all that the attack does is establishing idle connections then tweaking CONNECTIONS to 1 instead of the default of 8 will prevent establishing 8 connections at the same time but still a new connection will be established every 0.2 seconds. This in turn results in many connections established from the same IP, is my understanding correct? Can I set in iptables, ufw or nginx a policy that enforces the idea: "allow no more than two connections from the same IP"? Commented Mar 5, 2022 at 20:34
  • 1
    @JohnSmith: I've reworked the answer to point to the relevant iptables modules which do what you need. Commented Mar 5, 2022 at 20:55
  • Thank you. The link nginx.org/en/docs/http/… and mention of client_header_timeout in nginx was very helpful as well. Please consider restoring this part of your worthy answer. Commented Mar 5, 2022 at 21:07
  • @JohnSmith: see update Commented Mar 5, 2022 at 21:20

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.