Nginx - how to log an empty SSL connection with no request line

Question

We are currently under DDoS with the following vector: Attacker is establishing TLS connection then drop off. (No request line is being sent)

This is causing serious CPU load on nginx cluser. We have ngnix as reverse proxy. I could not figure out a way how to make nginx to log a fact that such a connection was established to automate IP based bans.

All the logging stuff I found require request to be parsed but in this case there is no payload at all so nothing shows up in both access and error logs...

score 2 · Accepted Answer · answered Sep 22 '18 at 09:43

error_log /var/log/nginx/error.log info;

You then see in the error log following:

2018/09/22 11:42:38 [info] 25066#25066: *343588460 client closed connection while waiting for request, client: ::1, server: [::]:443

And this behavior can be simulated via:

echo -n | openssl s_client -connect localhost:443

Nginx - how to log an empty SSL connection with no request line

1 Answers1