It’s a shocking fact that hackers are using new methods for DDoS attacks every day.

And, that makes DDoS protection a crucial step in server security.

At Bobcares, we help server owners to implement DDoS protection on their servers as part of our Dedicated Support Services for web hosts.

Today, we’ll discuss 4 different ways for DDoS prevention in Nginx servers.

What’s DDoS?

Before we move on to the steps to prevent DDoS attacks, let’s see what DDoS is.

DDoS(Distributed Denial Of Service) attack saturates a system by overloading it with too much traffic from multiple machines, so that the server can’t handle it.

 

 

As a result, it leads to service downtime, network congestion, reputation damage, financial loss, and much more.

Here, our Hosting Engineers check the server logs containing information about the originating IP address, geolocation, and more. So, this gives us an idea of the source of the problem.

 

Nginx DDoS prevention – Here’s how to do it

Let’s now see the different methods of Nginx DDoS prevention used by our Dedicated Support Engineers to mitigate this attack.

1) Software firewall

One of the easiest ways for Nginx DDoS prevention is to use software firewalls like CSF, iptables, UFW, APF, etc.

For example in iptables, our Hosting Engineers rate limit the number of connections on port 80 using the below command.

/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

 

And, if the number of connection exceeds the connection limit, the IP will be blocked in the server.

Similarly, most web hosts use CSF firewall in their cPanel servers. Here, we tweak the parameters such as CT_LIMIT, CT_BLOCK_TIME, CT_INTERVAL, etc. to limit the connections.

In the same way, Ubuntu servers have default firewall UFW(Uncomplicated Firewall). UFW’s default rules are to deny all incoming connections and allow all outgoing connections. So, users can enable only the required ports and IPs on the server, that reduces the exposure of the server to DDoS attacks.

[Need a Server Expert to implement Nginx DDoS prevention in your server? Click here, our Server Experts are available online 24/7.]

 

2) Tweak Nginx parameters

Our Support Engineers tweak various Nginx parameters to prevent large scale DDoS attacks. Let’s discuss each of them in detail.

a) Nginx Worker process

One of the important parameters that we tweak is the number of worker process and number of worker connections in the Nginx configuration file /etc/nginx/nginx.conf.

We’ll gradually adjust the worker process and worker connections to a higher value for handling DDoS attacks. For example, we tweak the worker connections in Nginx configuration file like this.

events {
worker_connections 50000;
}

 

This setting allows each of the worker process to handle upto 50000 connections.

Most importantly, our Support Engineers check the server resources before increasing these values, because an un-optimized value can break the whole server.

In addition to that, we limit the number of connections using the system open file limit. In other words, we modify the parameter fs.file-max in /etc/sysctl.conf.

fs.file-max = 50000

 

Moreover, we set number of open file limit per user. For example, we set the open file limit for Nginx worker process in the /etc/security/limits.conf file.

 

b) Limit the rate of requests

Rate limiting is one of the best ways to prevent DDoS in Nginx.

It can limit the number of requests that can be made from a particular client IP address within a certain period. And, if this limit is exceeded, Nginx denies these requests.

So, this is one of the most important parameters our Hosting Engineers tweak during the server hardening process.

We tweak the limit_req_zone directive in the Nginx configuration file to rate limit requests. For example, see the below code:

limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;

 

This command creates a memory area called one, that can hold upto 160,000(as 1m =16000 IPs) unique IPs, and the 30r/m means that only 30 requests per minute are allowed.

Similarly, we use the limit_req directive to rate limit the connections to a particular location or file.

c) Limit the rate of connections

Further, our Nginx Experts rate limit the number of connections made from a single IP address.

In other words, we tweak the limit_conn_zone and limit_conn directives to limit the number of connections per IP address.

limit_conn_zone $binary_remote_addr zone=one:20m;

server {
location /admin/ {
limit_conn addr 20;
}}

 

d) Nginx Timeout parameters

Likewise, slow connections to the server keep these connections open to the server for a long time. As a result, the server can’t accept new connections.

In such cases, our Support Experts tweak the Nginx timeout parameters such as  client_body_timeout and client_header_timeout to lower values.

server {
client_body_timeout 10s;
client_header_timeout 10s;
}

 

Here, the client_body_timeout directive defines how long Nginx is waiting between the writes of the client body and  client_header_timeout means how long Nginx is waiting between the writes of client header.

 

e) Limit HTTP Request size

Similarly, large buffer values or large HTTP requests size make DDoS attacks easier. So, we limit the following buffer values in the Nginx configuration file to mitigate DDoS attacks.

client_body_buffer_size 200K;
client_header_buffer_size 2k;
client_max_body_size 200k;
large_client_header_buffers 3 1k;

 

f) Limit the connections to backend servers

When Nginx is used as a load balancer, our Hosting Engineers adjust the Nginx parameters to limit the number of connections handled by each backend server.

For example, see the below code:

upstream domain {
server 192.125.168.2:80 max_conns=100;
server 192.125.168.3:80 max_conns=100;
queue 20 timeout=10s;
}

 

So, here the max_conns directive specifies the number of connections Nginx can open up for the server. The queue directive limits the number of requests that have been queued when all servers in this group have reached the connection limit. Finally, the timeout directive specifies how long a request can be retained in the queue.

In addition to the above parameters, we configure Nginx to block connections based on the request URL, User-Agent, Referer, Request headers, etc.

[Need help to tweak the Nginx parameters to mitigate DDoS? Click here, one of our Nginx Experts will check your server resources and tweak the values accordingly.]

 

3) Setup Fail2ban on the server

Fail2ban is great Intrusion Detection Software to block suspicious IPs that connect to the server. This scans the server logs for suspicious access and blocks such IPs in the firewall.

For example, we create a fail2ban jail /etc/fail2ban/jail.local and add the following code to monitor the number of requests to Nginx.

[nginx-req-limit]

enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port=”http,https”, protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 200
bantime = 2600
maxretry = 20

 

This scans the Nginx log files and block the IPs making too many connections to the server.

[Need a Server Expert to configure Fail2ban on your server? One of our Server Experts can help you here.]

4) Enable sysctl based protection

Additionally, we tweak kernel and system variables on Nginx servers. We enable syn cookies, flooding rate limits, per IP limit in the /etc/sysctl.conf file.

Most importantly, we focus on the following parameters.

net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1

 

The first parameter enables protection against IP spoofing, and the second allows TCP SYN cookie protection.

 

Conclusion

In short, DDoS prevention in Nginx nodes is an important step to ensure security. Today, we’ve discussed the top 4 methods for DDoS prevention in Nginx servers and how our Dedicated Support Engineers implement it.