7

I am configuring nginx for basic DDoS protection. I want to use the limit_conn module as described in http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html. In particular I do not understand this example:

limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;

server {
    ...
    limit_conn perip 10;
    limit_conn perserver 100;
}

The description is:

For example, the following configuration will limit the number of connections to the server per a client IP and, at the same time, the total number of connections to the virtual host

The first part is clear, I am allowing not more than 10 simultaneous connections from one IP.

But does the second rule mean, that I am only allowing 100 connections to my server? Because if it so, and the attacker just opens ~100 connections it would block everyone from accessing the server, effectively making DDoS attack succeed.

hennadiy.verkh
  • 972
  • 2
  • 11
  • 16

1 Answers1

7

Yes, the second rule means that you're going to allow no more than 100 simultaneous connections to that specific domain. However, considering you have also limited max connections per ip, the attacker will need to use different ip's to success with the attack.

I must add that limit_conn is just a way to mitigate an attack, but it won't be enough to mitigate a real DDoS attack.

You may want to look at these nginx directives: limit_req, limit_rate, client_body_timeout, client_header_timeout.

This article will show you that there is more to do in order to mitigate a DDoS attack: https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/

Also, this article will point you to some configuration tips: https://www.nginx.com/blog/tuning-nginx/

Hope it helps.

Lisandro
  • 141
  • 1
  • 10
  • 1
    What does `connection` mean in this context? I set the variables to 1 and am still able to open multiple tabs of my website instantly. I am also able to open and maintain multiple socket connections. – Esqarrouth Mar 18 '21 at 12:52