How to set the number of accesses that can limit an IP time period is a headache, especially in the face of malicious DDoS attacks. Among them, the CC attack (Challenge Collapsar) is a DDoS (distributed denial of service), and is a common site attack method, the attacker through the proxy server or broiler to the victim host constantly send a large number of packets, causing the other server resources exhausted, until the outage crashes.
CC attacks are generally the use of a limited number of IP to the server to send data frequently to achieve the purpose of attack, Nginx can be configured by Httplimitreqmodul and httplimitzonemodule to limit the number of IP access to the same period of time to prevent CC attacks.
The Httplimitreqmodul is used to limit the number of connections per unit of time, using Limit_req_zone and limit_req directives to reach the limit. Once the concurrent connection exceeds the specified number, a 503 error is returned.
Httplimitconnmodul used to limit the number of concurrent connections for a single IP, using Limit_zone and Limit_conn directives
The first difference between the two modules is the limit on the number of connections over time, which is the limit on the number of connections at the same time
Httplimitreqmodul limit the number of instances of the same IP access over a period of time
http{... #定义一个名为allips的limit_req_zone用来存储session, size is 10M memory, #以 $binary _remote_addr as key, limit the average request per second to 20, # 1M can store 16,000 states, the value of Rete must be an integer, #如果限制两秒钟一个请求, can be set to 30r/m limit_req_zone $binary _remote_addr zone=allips:10m rate=20r/s; ... server{... Location { ... #限制每ip每秒不超过20个请求, the number of leaky barrels burst is 5 #brust的意思就是, if the 1th second, 2,3,4 second request for 19, #第5秒的请求为25个是被允许的. #但是如果你第1秒就25个请求, a request that exceeds 20 in the first 2 seconds returns a 503 error. #nodelay, if this option is not set, the average rate limit request is strictly used, #第1秒25个请求时, 5 requests are placed in the first 2 seconds of execution, #设置nodelay, 25 requests will be executed at 1 seconds. limit_req zone=allips burst=5 nodelay; ... } ... } ...}
Httplimitzonemodule Limit number of concurrent connections instances
Limit_zone can only be defined in the HTTP scope, Limit_conn may be defined at the HTTP server location scope
http{... #定义一个名为one的limit_zone, size 10M memory to store session, #以 $binary _remote_addr as key #nginx 1.18 after using Limit_conn_ Zone replaced Limit_conn #且只能放在http作用域 limit_conn_zone one $binary _remote_addr 10m; ... server{... Location { ... Limit_conn one; #连接数限制 #带宽限制, for a single connection limit, if an IP two connection, is 500x2k limit_rate 500k; ... } ... } ...}
How to limit the number of accesses to an IP at the same time period in Nginx