OpenResty (nginx extension) to prevent cc attacks

Source: Internet
Author: User

OpenResty (nginx extension) to prevent cc attacks

OpenResty (nginx extension) to prevent cc attacksGuideOpenResty integrates a variety of well-designed Nginx modules (mainly developed by the OpenResty Team) to effectively turn Nginx into a powerful universal Web application platform. In this way, Web developers and System Engineers can use the Lua script language to mobilize various C and Lua modules supported by Nginx, quickly construct a high-performance Web application system capable of concurrent connections between 10 K and 1000 KFlowchart

This article describes how to use openresty to prevent cc attacks. Openresty official website http://openresty.org/cn/index.html. The following is a flowchart of anti-cc attack.
According to the flowchart, we know that anti-cc attack mainly includes two parts: one is to limit the request speed, and the other is to send the js jump code to the user to verify whether the request is legal.

Install dependency

RHEL/Centos:

yum install readline-devel pcre-devel openssl-devel

Ubuntu:

apt-get install libreadline-dev libncurses5-dev libpcre3-dev libssl-dev perl
Luajit Installation
    cd /tmp/    git clone http://luajit.org/git/luajit-2.0.git    cd luajit-2.0/    make && make install    ln -sf luajit-2.0.0-beta10 /usr/local/bin/luajit    ln -sf /usr/local/lib/libluajit-5.1.so.2 /usr/lib/
Openresty Installation
    cd /tmp    wget http://agentzh.org/misc/nginx/ngx_openresty-1.2.4.13.tar.gz    tar xzf ngx_openresty-1.2.4.13.tar.gz    cd ngx_openresty-1.2.4.13/    ./configure --prefix=/usr/local/openresty --with-luajit    make && make install
Nginx Configuration

Nginx. conf:

    http{    [......]    lua_shared_dict limit 10m;    lua_shared_dict jsjump 10m;             server {    #lua_code_cache off;            listen       80;            server_name  www.centos.bz;                 location / {    default_type  text/html;    content_by_lua_file "/usr/local/openresty/nginx/conf/lua";            }            location @cc {                internal;                root   html;                index  index.html index.htm;            }        }    }

/Usr/local/openresty/nginx/conf/lua file:

    local ip = ngx.var.binary_remote_addr    local limit = ngx.shared.limit    local req,_=limit:get(ip)    if req then            if req > 20 then                    ngx.exit(503)            else                    limit:incr(ip,1)            end    else            limit:set(ip,1,10)    end         local jsjump = ngx.shared.jsjump    local uri = ngx.var.request_uri    local jspara,flags=jsjump:get(ip)    local args = ngx.req.get_uri_args()    if jspara then        if flags then            ngx.exec("@cc")        else                    local p_jskey=''                    if args["jskey"] and type(args["jskey"])=='table' then                             p_jskey=args["jskey"][table.getn(args["jskey"])]                    else                             p_jskey=args["jskey"]                    end            if p_jskey and p_jskey==tostring(jspara) then                            jsjump:set(ip,jspara,3600,1)                            ngx.exec("@cc")            else                            local url=''                            if ngx.var.args then                                   url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..jspara                            else                                   url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..jspara                            end                            local jscode="window.location.href='"..url.."';"                            ngx.say(jscode)            end        end    else    math.randomseed( os.time() );        local random=math.random(100000,999999)        jsjump:set(ip,random,60)        local url=''        if ngx.var.args then            url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..random        else            url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..random        end        local jscode="window.location.href='"..url.."';"        ngx.say(jscode)    end

Lua Code Description:
1. lines 1-12 are implemented by the speed limit function. Lines 5th and 10th indicate that up to 20 requests can be requested within 10 seconds.
2. Lines 14-48 are the verification part. 3600 in the 24 rows indicates that after the verification is passed, the whitelist time is 3600 seconds, that is, 1 hour.

Update: 2013.5.26
1. Fixed the JS unlimited jump bug.
2. Add random Seeds

Address: https://www.centos.bz/2012/12/openresty-nginx-block-cc-attack-deploy/

Address: http://www.linuxprobe.com/linux-openresty.html ghost


GuideOpenResty integrates a variety of well-designed Nginx modules (mainly developed by the OpenResty Team) to effectively turn Nginx into a powerful universal Web application platform. In this way, Web developers and System Engineers can use the Lua script language to mobilize various C and Lua modules supported by Nginx, quickly construct a high-performance Web application system capable of concurrent connections between 10 K and 1000 KFlowchart

This article describes how to use openresty to prevent cc attacks. Openresty official website http://openresty.org/cn/index.html. The following is a flowchart of anti-cc attack.
According to the flowchart, we know that anti-cc attack mainly includes two parts: one is to limit the request speed, and the other is to send the js jump code to the user to verify whether the request is legal.

Install dependency

RHEL/Centos:

yum install readline-devel pcre-devel openssl-devel

Ubuntu:

apt-get install libreadline-dev libncurses5-dev libpcre3-dev libssl-dev perl
Luajit Installation
    cd /tmp/    git clone http://luajit.org/git/luajit-2.0.git    cd luajit-2.0/    make && make install    ln -sf luajit-2.0.0-beta10 /usr/local/bin/luajit    ln -sf /usr/local/lib/libluajit-5.1.so.2 /usr/lib/
Openresty Installation
    cd /tmp    wget http://agentzh.org/misc/nginx/ngx_openresty-1.2.4.13.tar.gz    tar xzf ngx_openresty-1.2.4.13.tar.gz    cd ngx_openresty-1.2.4.13/    ./configure --prefix=/usr/local/openresty --with-luajit    make && make install
Nginx Configuration

Nginx. conf:

    http{    [......]    lua_shared_dict limit 10m;    lua_shared_dict jsjump 10m;             server {    #lua_code_cache off;            listen       80;            server_name  www.centos.bz;                 location / {    default_type  text/html;    content_by_lua_file "/usr/local/openresty/nginx/conf/lua";            }            location @cc {                internal;                root   html;                index  index.html index.htm;            }        }    }

/Usr/local/openresty/nginx/conf/lua file:

    local ip = ngx.var.binary_remote_addr    local limit = ngx.shared.limit    local req,_=limit:get(ip)    if req then            if req > 20 then                    ngx.exit(503)            else                    limit:incr(ip,1)            end    else            limit:set(ip,1,10)    end         local jsjump = ngx.shared.jsjump    local uri = ngx.var.request_uri    local jspara,flags=jsjump:get(ip)    local args = ngx.req.get_uri_args()    if jspara then        if flags then            ngx.exec("@cc")        else                    local p_jskey=''                    if args["jskey"] and type(args["jskey"])=='table' then                             p_jskey=args["jskey"][table.getn(args["jskey"])]                    else                             p_jskey=args["jskey"]                    end            if p_jskey and p_jskey==tostring(jspara) then                            jsjump:set(ip,jspara,3600,1)                            ngx.exec("@cc")            else                            local url=''                            if ngx.var.args then                                   url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..jspara                            else                                   url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..jspara                            end                            local jscode="window.location.href='"..url.."';"                            ngx.say(jscode)            end        end    else    math.randomseed( os.time() );        local random=math.random(100000,999999)        jsjump:set(ip,random,60)        local url=''        if ngx.var.args then            url=ngx.var.scheme.."://"..ngx.var.host..uri.."&jskey="..random        else            url=ngx.var.scheme.."://"..ngx.var.host..uri.."?jskey="..random        end        local jscode="window.location.href='"..url.."';"        ngx.say(jscode)    end

Lua Code Description:
1. lines 1-12 are implemented by the speed limit function. Lines 5th and 10th indicate that up to 20 requests can be requested within 10 seconds.
2. Lines 14-48 are the verification part. 3600 in the 24 rows indicates that after the verification is passed, the whitelist time is 3600 seconds, that is, 1 hour.

Update: 2013.5.26
1. Fixed the JS unlimited jump bug.
2. Add random Seeds

Address: https://www.centos.bz/2012/12/openresty-nginx-block-cc-attack-deploy/

Reprinted address: http://www.linuxprobe.com/linux-openresty.html ghost


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.