Hi guys, I found this guide on the NGINX blog on how to “protect” your server as much as possible from ddos attacks. With the addition of Nginx + which I personally have never tried, do you use nginx +?
How do you “effectively” protect your servers from ddos attacks? I understand that a server is unlikely to hold up with a massive attack. Maybe I’m wrong … Thanks anyway to everyone!
I use a provider that offers DDOS prevention to be fair and i believe CSF has an option to ratelimit IP’s although i think that is manually switched on
Hi,
The question relates to L7 protection, whereas your answer relates to L6-L4 protection.
CSF not only offers rate limiting but also many other options. It has flooding, connection tracking, restricting Geo-IPs, etc. This is the most suitable solution for small to medium companies or individuals.
Using a provider that offers DDOS prevention is fine. But this option comes in place only if the attack contains huge packets, like more than 700-1.000 MB/min. When the attack is much smaller i.e. in the range of 50MB - 250MB/min, then the provider protection shall not be in place. Thus, your server will be in knees and badly affected by this mini-DDOS attack. Most hackers knows this.
Cloudflare provides excellent configuration to prevent such DDOS attacks too. It also has other tools like firewall DNS IP to enhance such DDOS attacks.
That is where a non-provider protection is necessary.
The best option I find is to have a hardware or provider firewall in place, which is not installed on the server. Openstack offers Security Groups too. This also gives a very decent protection, is properly configured. With this, many other attacks will be set to zero.
Thereafter, what remains is the protection on L7 level. Here, CSF works to prevent L7 attack before it reaches Nginx. One it needs to allow the traffic, then Nginx has to be configured to be ready to defend itself.
There are some other techniques not described in the above link. Firstly, identify from logs on a constant bases, what kind of activity is going on on your server. harden the Nginx.conf such that it throws with return 400 errors. Then work on filtering traffic based on location and keywords in the URL. This strategy will offer a basic L7 protection. Only thereafter the information in above article will help, when attack comes into place.