系统环境:FreeBSD, network card: Intel fxp, port: 100Мбит, polling, http accept-filter.

in sysctl:

   

sysctl kern.maxfiles=90000
sysctl kern.maxfilesperproc=80000
sysctl net.inet.tcp.blackhole=2
sysctl net.inet.udp.blackhole=1
sysctl kern.polling.burst_max=1000
sysctl kern.polling.each_burst=50
sysctl kern.ipc.somaxconn=32768
sysctl net.inet.tcp.msl=3000
sysctl net.inet.tcp.maxtcptw=40960
sysctl net.inet.tcp.nolocaltimewait=1
sysctl net.inet.ip.portrange.first=1024
sysctl net.inet.ip.portrange.last=65535
sysctl net.inet.ip.portrange.randomized=0

in nginx configuration:

   

worker_processes 1;
worker_rlimit_nofile 80000;
events {
    worker_connections 50000;
}

server_tokens off;
log_format IP `$remote_addr';
reset_timedout_connection on;

listen  xx.xx.xx.xx:80  default rcvbuf=8192 sndbuf=16384 backlog=32000 accept_filter=httpready;

In the following way it is possible to realize filtration of url, in example for POST index.php?action=login which is with empty referral.

   

set $add 1;
location /index.php {
        limit_except GET POST {
             deny all;
    }
    set $ban "";
    if ($http_referer = "" ) {set $ban $ban$add;}
    if ($request_method = POST ) {set $ban $ban$add;}
    if ($query_string = "action=login" ){set $ban $ban$add;}
    if ($ban = 111 ) {
        access_log /var/log/[133]nginx/ban IP;
        return 404;
    }
    proxy_pass http://127.0.0.1:8000; #here is a patch
}

Further we cut it at pf level – loaded into IP table, hosts from which came too many hits. PF with tables works very quickly. Sources for parsing of logs (ddetect) you can find on http://www.comsys.com.ua/files Then Cron used once in a minute, to add into ip tables new IPs from a log. 25 Mbyte DDoS, which cuts IPs, the rests fall on nginx which by it is criterion pass IPs and the rests passed on the apache – LA 0, site works.

声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。