New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Nginx config for layer7 http application attacks.
Hello,
I need a config for nginx for layer 7 http application attacks.
Attacks are mainly get attacks to random elements on page.
Tons of ip addressess requests index.php?blabla for example
this makes apache server unresponsive and mysql server to unable to respond.
I read a lot of pages about this tested a bit.
But a straightforward already tested under attack script / configuration will really help.
Comments
Note: Nginx is already running as proxy for apache http server.
Nginx is on a server with acceptable layer4 ddos protection,
So no problem with layer 4 whatsoever.
apache server is on the other side of the world in another server.
nginx server and apache server are connected over ipv4
I can also connect them using vpn (tinc ,etc)
I need to hear your experiences please.
On Nginx side I want a custom protection single page html and a button to click to proceed to main site.
Cloudflare style redirection not needed.
https://github.com/kyprizel/testcookie-nginx-module
For you to do something like that, you would have to write a custom html page for testcookie.
Just assign the cookie when the user clicks the button using javasript.
These layer 7 attacks are getting so annoying i had to put a captcha page for every country on cloudflare because i am getting attacked by many countries daily and now they are using random user agents, proxies and are bypassing cloudflare browser check page easily.
Assuming you know where a query string would make a legit request, a fast, dirty and ugly solution that is very effective is to disallow all requests that don't match, so that almost no processing is happening.
if($arg_s) { set $PASS 1; }
if($is_args = "") { set $PASS 1; }
if($PASS != "1") { return 403; }
Or do a 302 and send them over to a gzip bomb. Who knows, they may actually be fetching the response body:)
The above example allows the search for WP to go through but won't allow anything else and processing penalty is very low.
so you're saying that attacking bots DO understand the cookie process and accepts and sends necessary replies to verify cookie verification?
Why not use WAF behind cloudflare starting from their cheapest paid plan.
Yes it's so easy to bypass it i even talked to cloudflare guys and they admitted it can be easily bypassed. There are scripts available on github that you can use to launch massive attacks from a single server just give it a list of http proxies and random users agent and thn tell it the number of connections you want and the attack begins!
To give you an idea check this script https://github.com/KyranRana/cloudflare-bypass
Let me post the exact answer i got from Cloudflare support about bypassing the browser check page:
If the attackers use scripts while you have just a config they'll win.
If you use cloudflare or another large service then the attackers will sooner or later usually win. Reason: to find a way to bypass a large services protection is very attractive and gence worth lots of efforts because the reward will be very many sites open to attack. Same reason why there are many more viruses on Windows than on Mac or Linux. Much more targets.
The easiest thing, is to give something a cookie, it needs to fill a captcha, to get the cookie, if it does not do that => all requests go to a plain html page which reduces load to like nothing.
how many different ips?