L'unica regola correlata in mod-security per DoS lento è modsecurity_crs_11_slow_dos_protection
, ed è solo per Apache.
Esiste una regola per Nginx?
Per quanto ne so, NGINX non include nulla di simile da descrivere, ma possiamo implementare il nostro. Come ho capito Apache 2 modsecurity_crs_11_slow_dos_protection, limita il numero di connessioni. modsecurity_crs_11_slow_dos_protection
NGINX ha una pagina web, Attenuazione degli attacchi DDoS con NGINX e NGINX Inoltre che menziona diversi metodi per DDoS. Mi vengono in mente tre idee dal loro sito web:
Limitazione della frequenza delle richieste
You can limit the rate at which NGINX and NGINX Plus accept incoming requests to a value typical for real users. For example, you might decide that a real user accessing a login page can only make a request every 2 seconds. You can configure NGINX and NGINX Plus to allow a single client IP address to attempt to login only every 2 seconds (equivalent to 30 requests per minute):
limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m; server { # ... location /login.html { limit_req zone=one; # ... } }
The limit_req_zone directive configures a shared memory zone called one to store the state of requests for the specified key, in this case the client IP address ($binary_remote_addr). The limit_req directive in the location block for /login.html references the shared memory zone.
Limitazione del numero di connessioni
You can limit the number of connections that can be opened by a single client IP address, again to a value appropriate for real users. For example, you can allow each client IP address to open no more than 10 connections to the /store area of your website:
limit_conn_zone $binary_remote_addr zone=addr:10m; server { # ... location /store/ { limit_conn addr 10; # ... } }
The limit_conn_zone directive configures a shared memory zone called addr to store requests for the specified key, in this case (as in the previous example) the client IP address, $binary_remote_addr. The limit_conn directive in the location block for /store references the shared memory zone and sets a maximum of 10 connections from each client IP address.
Chiusura delle connessioni lente
You can close connections that are writing data too infrequently, which can represent an attempt to keep connections open as long as possible (thus reducing the server’s ability to accept new connections). Slowloris is an example of this type of attack. The client_body_timeout directive controls how long NGINX waits between writes of the client body, and the client_header_timeout directive controls how long NGINX waits between writes of client headers. The default for both directives is 60 seconds. This example configures NGINX to wait no more than 5 seconds between writes from the client for either headers or body:
server { client_body_timeout 5s; client_header_timeout 5s; # ... }
Notiamo che solo connessioni "lente" per un DDoS, mentre il DoS dobbiamo mitigare chiudendo (o rifiutando) le connessioni che riteniamo dannose. Tenere presente che le mitigazioni di attacco sopra menzionate sono la mitigazione DDoS a livello di applicazione. Quindi, le risorse (CPU e memoria) sono ancora utilizzate. Vedi, incapsulamento e Suite IP (TCP / IP) riguardante l'utilizzo delle risorse, poiché sono necessarie risorse per incapsulare e de-incapsulare (frame - > pacchetto (o datagramma) - > segmento - > PDU).
Leggi altre domande sui tag nginx denial-of-service ddos mod-security