DDoS protection is a subtle art of programming, computer security, and system administration. In the list of security tools, the popular Nginx server occupies not the last place.
If properly configured, you can minimize the effects of DDoS attacks and make them more challenging to carry out. We have prepared a list of recommendations for those building a system to protect against basic DDoS attacks using Nginx.
Prepare For Load Balancing From Day One
Often, backend systems work with light loads at first. Load balancing is not needed. In this case – there is no load itself. But that doesn’t mean you shouldn’t prepare for stress.
Designing and configuring an Nginx-based balancer should be started in advance until the moment when it is needed. The sudden popularity of your resource, getting the program to the top of the charts, and a sharp increase in demand can fall on you like snow on your head. Such users’ attention to your program can also bring negative effects – if the server falls under load, customers will be unhappy, and you risk incurring losses. If you set up the balancer in advance and prepare the capacity for processing requests, you can easily cope with traffic growth.
Since increased demand for a program is somewhat similar to a DDoS attack, being ready for bursts of good traffic will also protect you from attacks.
Caching Everything You Can
Part of the load on any server is serving the same type of requests, the content of which rarely changes. Issuing standard forms, headers, and static files requires the server’s attention and creates an unnecessary load where it could be avoided. Enable aggressive caching policies wherever possible. You can cache both at the server level by creating cache copies of static HTML content, and at the client level, by caching control headers.
Proper cache settings allow you to remove the routine load from the server, offload processor power, and the network to process targeted traffic and counter malicious DDoS requests. Your server can last longer under attack while the engineers work to fix the problem.
Block Suspicious Addresses
Often during the investigation of security incidents, it turns out that most of the malicious traffic comes from specific IP addresses. Firewalls easily block such traffic. If for some reason, it is not possible to configure a firewall, you can always cut off attackers’ requests at the level of Nginx itself:
Here is a simple option in the configuration file that blocks the entire malicious subnet.
Fight Slow Connections
One way to load the server with unnecessary work and conduct a DDoS is to send slow requests. Responding to slow connections, the server will not be able to process requests from real users. To protect against DDoS in Nginx, it is possible to set timeouts that will not allow connections to hang for too long:
This simple setup will protect you from a whole class of DDoS attacks.
Some providers can enable protection against DDoS attacks; then, you don’t have to configure anything yourself. A unique filtering platform will reliably protect against all types of threats.
Limit The Number Of Requests From One Address
Another DDoS tactic is to hit the server with many requests from the same address. Nginx can also prevent this by limiting the number of requests from a speech to a resource:
In this code example, we limit the number of requests to a resource to 30 requests per minute. This is more than enough for any living user.