系统环境:FreeBSD, network card: Intel fxp, port: 100Мбит, polling, http accept-filter.
in sysctl:
1 |
<pre class="wrap:true lang:default decode:true "> <p>sysctl kern.maxfiles=90000 <br />sysctl kern.maxfilesperproc=80000 <br />sysctl net.inet.tcp.blackhole=2 <br />sysctl net.inet.udp.blackhole=1 <br />sysctl kern.polling.burst_max=1000 <br />sysctl kern.polling.each_burst=50 <br />sysctl kern.ipc.somaxconn=32768 <br />sysctl net.inet.tcp.msl=3000 <br />sysctl net.inet.tcp.maxtcptw=40960 <br />sysctl net.inet.tcp.nolocaltimewait=1 <br />sysctl net.inet.ip.portrange.first=1024 <br />sysctl net.inet.ip.portrange.last=65535 <br />sysctl net.inet.ip.portrange.randomized=0</p> |
in nginx configuration:
1 |
<pre class="wrap:true lang:default decode:true "> <p>worker_processes 1; <br />worker_rlimit_nofile 80000; <br />events { <br /> worker_connections 50000; <br />} </p> <p>server_tokens off; <br />log_format IP `$remote_addr'; <br />reset_timedout_connection on; </p> <p>listen xx.xx.xx.xx:80 default rcvbuf=8192 sndbuf=16384 backlog=32000 accept_filter=httpready;</p> |
In the following way it is possible to realize filtration of url, in example for POST index.php?action=login which is with empty referral.
1 |
<pre class="wrap:true lang:default decode:true "> <p>set $add 1; <br />location /index.php { <br /> limit_except GET POST { <br /> deny all; <br /> } <br /> set $ban ""; <br /> if ($http_referer = "" ) {set $ban $ban$add;} <br /> if ($request_method = POST ) {set $ban $ban$add;} <br /> if ($query_string = "action=login" ){set $ban $ban$add;} <br /> if ($ban = 111 ) { <br /> access_log /var/log/[133]nginx/ban IP; <br /> return 404; <br /> } <br /> proxy_pass http://127.0.0.1:8000; #here is a patch <br />}</p> |
Further we cut it at pf level – loaded into IP table, hosts from which came too many hits. PF with tables works very quickly. Sources for parsing of logs (ddetect) you can find on http://www.comsys.com.ua/files Then Cron used once in a minute, to add into ip tables new IPs from a log. 25 Mbyte DDoS, which cuts IPs, the rests fall on nginx which by it is criterion pass IPs and the rests passed on the apache – LA 0, site works.
声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。