First, look at the iptable solution.
To solve the SYN flood and DDoS and other recommended use iptable, lighter, is also iptable more good at.
Looking up on the internet, Iptable's recent module can solve the problem,
First look at the parameters of recent,
--name #设定列表名称, default defaults.
--rsource #源地址, this is the default.
--rdest #目的地址
--seconds #指定时间内
--hitcount #命中次数
--set #将地址添加进列表, and updates the information, including the timestamp of the added address.
--rcheck #检查地址是否在列表 to calculate the time as the first match begins.
--update #和rcheck类似 to calculate the time with the last match.
--remove #在列表里删除相应地址, followed by the list name and address.
Final Test, the following code can test through:
#!/bin/bash
Ipt=/sbin/iptables
# Max Connection in seconds
seconds=100
# Max connections per IP
blockcount=10
# ....
# ..
# Default action can be DROP or REJECT
daction= "REJECT"
$IPT-A input-p TCP--dport 80-i eth0-m State--state new-m Recent
$IPT-A input-p TCP--dport 80-i eth0-m State--state new-m recent--update--seconds ${seconds}--hitcount ${BLOCKCOU NT}-j ${daction}
# ....
# ..
If you send more than 10 requests to the server, a connect closed error message appears, indicating success.
Test browser can be, because after 10 requests, many words can be used ab-n xx-c xx.
Second, the varnish solution.
Varnish is the advantage of VCL powerful, before the author used varnish to prevent the operation of the robots, but vcl how to prevent DDoS and the same IP restrictions on the Internet to see a solution, It's security.vcl, but it feels like vcl write too much, I don't know if it's because of the complexity of the function.
See this VCL specifically
Https://github.com/ssm/security.vcl
Finally, Nginx and Apache Solutions
Nginx and Apache are the ultimate Web servers, so the security layer can be put here to do, about concurrent access to the module.
Nginx has a ngx_http_limit_conn_module
Http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
Apache module, Limitipconn
Http://dominia.org/djao/limitipconn2.html
If the computer room with DDoS defense mechanism, so generally no problem. As a result, Drupal can use modules such as fast404 to reduce the CPU pressure caused by more than 404.
And by the way, a security module for Drupal is recommended by Kit:https://www.drupal.org/project/seckit
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
