Bobcares

DDoS prevention in Nginx – How to secure your server from DDoS attacks?

by | Jan 21, 2019

It’s a shocking fact that hackers are using new methods for DDoS attacks every day.

And, that makes DDoS protection a crucial step in server security.

At Bobcares, we help server owners to implement DDoS protection on their servers as part of our Dedicated Support Services for web hosts.

Today, we’ll discuss 4 different ways for DDoS prevention in Nginx servers.

What’s DDoS?

Before we move on to the steps to prevent DDoS attacks, let’s see what DDoS is.

DDoS(Distributed Denial Of Service) attack saturates a system by overloading it with too much traffic from multiple machines, so that the server can’t handle it.

 

nginx ddos prevention

What is DDoS?

 

As a result, it leads to service downtime, network congestion, reputation damage, financial loss, and much more.

Here, our Hosting Engineers check the server logs containing information about the originating IP address, geolocation, and more. So, this gives us an idea of the source of the problem.

 

Nginx DDoS prevention – Here’s how to do it

Let’s now see the different methods of Nginx DDoS prevention used by our Dedicated Support Engineers to mitigate this attack.

1) Software firewall

One of the easiest ways for Nginx DDoS prevention is to use software firewalls like CSF, iptables, UFW, APF, etc.

For example in iptables, our Hosting Engineers rate limit the number of connections on port 80 using the below command.

/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

 

And, if the number of connection exceeds the connection limit, the IP will be blocked in the server.

Similarly, most web hosts use CSF firewall in their cPanel servers. Here, we tweak the parameters such as CT_LIMIT, CT_BLOCK_TIME, CT_INTERVAL, etc. to limit the connections.

In the same way, Ubuntu servers have default firewall UFW(Uncomplicated Firewall). UFW’s default rules are to deny all incoming connections and allow all outgoing connections. So, users can enable only the required ports and IPs on the server, that reduces the exposure of the server to DDoS attacks.

[Need a Server Expert to implement Nginx DDoS prevention in your server? Click here, our Server Experts are available online 24/7.]

 

2) Tweak Nginx parameters

Our Support Engineers tweak various Nginx parameters to prevent large scale DDoS attacks. Let’s discuss each of them in detail.

a) Nginx Worker process

One of the important parameters that we tweak is the number of worker process and number of worker connections in the Nginx configuration file /etc/nginx/nginx.conf.

We’ll gradually adjust the worker process and worker connections to a higher value for handling DDoS attacks. For example, we tweak the worker connections in Nginx configuration file like this.

events {
worker_connections 50000;
}

 

This setting allows each of the worker process to handle upto 50000 connections.

Most importantly, our Support Engineers check the server resources before increasing these values, because an un-optimized value can break the whole server.

In addition to that, we limit the number of connections using the system open file limit. In other words, we modify the parameter fs.file-max in /etc/sysctl.conf.

fs.file-max = 50000

 

Moreover, we set number of open file limit per user. For example, we set the open file limit for Nginx worker process in the /etc/security/limits.conf file.

 

b) Limit the rate of requests

Rate limiting is one of the best ways to prevent DDoS in Nginx.

It can limit the number of requests that can be made from a particular client IP address within a certain period. And, if this limit is exceeded, Nginx denies these requests.

So, this is one of the most important parameters our Hosting Engineers tweak during the server hardening process.

We tweak the limit_req_zone directive in the Nginx configuration file to rate limit requests. For example, see the below code:

limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;

 

This command creates a memory area called one, that can hold upto 160,000(as 1m =16000 IPs) unique IPs, and the 30r/m means that only 30 requests per minute are allowed.

Similarly, we use the limit_req directive to rate limit the connections to a particular location or file.

c) Limit the rate of connections

Further, our Nginx Experts rate limit the number of connections made from a single IP address.

In other words, we tweak the limit_conn_zone and limit_conn directives to limit the number of connections per IP address.

limit_conn_zone $binary_remote_addr zone=one:20m;

server {
location /admin/ {
limit_conn addr 20;
}}

 

d) Nginx Timeout parameters

Likewise, slow connections to the server keep these connections open to the server for a long time. As a result, the server can’t accept new connections.

In such cases, our Support Experts tweak the Nginx timeout parameters such as  client_body_timeout and client_header_timeout to lower values.

server {
client_body_timeout 10s;
client_header_timeout 10s;
}

 

Here, the client_body_timeout directive defines how long Nginx is waiting between the writes of the client body and  client_header_timeout means how long Nginx is waiting between the writes of client header.

 

e) Limit HTTP Request size

Similarly, large buffer values or large HTTP requests size make DDoS attacks easier. So, we limit the following buffer values in the Nginx configuration file to mitigate DDoS attacks.

client_body_buffer_size 200K;
client_header_buffer_size 2k;
client_max_body_size 200k;
large_client_header_buffers 3 1k;

 

f) Limit the connections to backend servers

When Nginx is used as a load balancer, our Hosting Engineers adjust the Nginx parameters to limit the number of connections handled by each backend server.

For example, see the below code:

upstream domain {
server 192.125.168.2:80 max_conns=100;
server 192.125.168.3:80 max_conns=100;
queue 20 timeout=10s;
}

 

So, here the max_conns directive specifies the number of connections Nginx can open up for the server. The queue directive limits the number of requests that have been queued when all servers in this group have reached the connection limit. Finally, the timeout directive specifies how long a request can be retained in the queue.

In addition to the above parameters, we configure Nginx to block connections based on the request URL, User-Agent, Referer, Request headers, etc.

[Need help to tweak the Nginx parameters to mitigate DDoS? Click here, one of our Nginx Experts will check your server resources and tweak the values accordingly.]

 

3) Setup Fail2ban on the server

Fail2ban is great Intrusion Detection Software to block suspicious IPs that connect to the server. This scans the server logs for suspicious access and blocks such IPs in the firewall.

For example, we create a fail2ban jail /etc/fail2ban/jail.local and add the following code to monitor the number of requests to Nginx.

[nginx-req-limit]

enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port=”http,https”, protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 200
bantime = 2600
maxretry = 20

 

This scans the Nginx log files and block the IPs making too many connections to the server.

[Need a Server Expert to configure Fail2ban on your server? One of our Server Experts can help you here.]

4) Enable sysctl based protection

Additionally, we tweak kernel and system variables on Nginx servers. We enable syn cookies, flooding rate limits, per IP limit in the /etc/sysctl.conf file.

Most importantly, we focus on the following parameters.

net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1

 

The first parameter enables protection against IP spoofing, and the second allows TCP SYN cookie protection.

 

Conclusion

In short, DDoS prevention in Nginx nodes is an important step to ensure security. Today, we’ve discussed the top 4 methods for DDoS prevention in Nginx servers and how our Dedicated Support Engineers implement it.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

SEE SERVER ADMIN PLANS

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF