nginx防止部分DDOS攻击
策略:html
1)利用ngx_http_limit_req_module模块限制请求的速率和请求链接数node
配置参照:http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone nginx
2)利用ngx_http_limit_conn_module模块限制并发数shell
配置参照:http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#directives apache
3)更多策略参考官方文档服务器
给出配置以下:jsp
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
listen 80;
server_name 210.10.5.102;
location / {
root html;
index index.html index.htm;
limit_req zone=one burst=5;
limit_conn addr 1;
}
}
}
其它的配置都省略,这里只讨论关注为了防DDOS的设限点,测试
这里解释下10m,是指空间容量,官方的对1m的概念解释是能容纳1万6的会话状态,若是超出16万的会话状态则新的请求会按照503处理(One megabyte zone can keep about 16 thousand 64-byte states. If the zone storage is exhausted, the server will return the 503 (Service Temporarily Unavailable) error to all further requests.)spa
关于burst官方还有一句话,
Excessive requests are delayed until their number exceeds the maximum burst size in which case the request is terminated with an error 503 (Service Temporarily Unavailable). By default, the maximum burst size is equal to zero.
If delaying of excessive requests while requests are being limited is not desired, the parameternodelay should be used:
limit_req zone=one burst=5 nodelay;
这里就有一种理解:burst虽然是堆栈的size,可是堆栈就算是满了那么nginx还给一次delay的机会,这个delay没有说是多少ms,若是配置策略不想给这个“机会”,那么就多配置一个nodelay,只要栈溢出则当即503。不知道这么理解是否正确,若是有问题,但愿高人指正!
配置完毕之后产生对应几个限制,
每秒处理请求不超过1个(1r/s),
每次访问请求数不超过5个(burst=5),若是多于5个则按照503处理,
每次访问并发链接数只容许1个并发(addr 1),多于1个并发则按照503处理
3)基于这些配置完毕的策略进行测试(apache-ab):
3.1测试的开始,我尚未加入策略,使用的仍是默认的nginx.conf.default,先测试下ab是否工做,而后逐步加入策略,
Server Software: BWS/1.1 Server Hostname: www.baidu.com Server Port: 80 Document Path: / Document Length: 96527 bytes Concurrency Level: 10 Time taken for tests: 1.952 seconds Complete requests: 20 Failed requests: 19 (Connect: 0, Length: 19, Exceptions: 0)
总共20个请求,每次10并发,失败19个,说明百度作了burst=1和addr 1的防护,百度的防护作得PL!
3.2测试本地nginx:20个请求每次10并发,成功20个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /test.html/ Document Length: 168 bytes Concurrency Level: 10 Time taken for tests: 0.109 seconds Complete requests: 20 Failed requests: 0
3.3测试本地nginx:2000个请求每次1000并发,成功2000个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /test.html/ Document Length: 168 bytes Concurrency Level: 1000 Time taken for tests: 12.900 seconds Complete requests: 2000 Failed requests: 0
说明本地吞吐量极好,并且是所有吞吐了的。
3.4测试本地nginx:200个请求每次100并发,成功200个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 100 Time taken for tests: 0.983 seconds Complete requests: 200 Failed requests: 0 Non-2xx responses: 200
此次测试是jsp,经过反向代理,原来的静态html是直接从nginx服务器拿的。
3.5测试本地nginx:2000个请求每次1000并发,成功2000个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1000 Time taken for tests: 9.858 seconds Complete requests: 2000 Failed requests: 0 Non-2xx responses: 2000
说明不管是动静,都是能所有吞吐,效果很是好。
3.6测试本地nginx:200个请求10并发和1并发在处理时间上有没有差异?
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 10 Time taken for tests: 1.001 seconds Complete requests: 200 Failed requests: 0 Non-2xx responses: 200
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1 Time taken for tests: 1.792 seconds Complete requests: 200 Failed requests: 0 Non-2xx responses: 200
1并发的时间大概是10并发的1.7倍,说明确定是有差异的。
3.7加入策略每秒处理1个req,同时等待队列burst=5,测试本地nginx:10个请求每次1并发,成功10个,失败0个,可是耗时9s+
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_req zone=one burst=5;
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1 Time taken for tests: 9.014 seconds Complete requests: 10 Failed requests: 0 Non-2xx responses: 10
3.8加入策略每秒处理1个req,同时等待队列burst=5,测试本地nginx:10个请求每次6并发,成功6个,失败4个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 6 Time taken for tests: 5.019 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0)
burst=5是生效了。否则原来6并发是不会失败的。
3.9加入策略每秒处理1个req,同时等待队列burst=5,测试本地nginx:10个请求每次5并发,成功10个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 5 Time taken for tests: 9.016 seconds Complete requests: 10 Failed requests: 0 Non-2xx responses: 10
所有成功的缘由应该是burst=5,没超过队列,对比并发6的失败。
3.10加入策略每秒处理1个req,同时等待队列burst=5,测试本地nginx:20个请求每次7并发,成功6个,失败4个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 7 Time taken for tests: 5.009 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0) Non-2xx responses: 10
7并发跟6并发结果同样,都是失败4个,结果让人费解。
3.11加入策略每秒处理1个req,同时等待队列burst=5,测试本地nginx:10个请求每次10并发,成功6个,失败4个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 10 Time taken for tests: 5.023 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0) Non-2xx responses: 10
10并发跟6并发、7并发结果同样,都是失败4个。
3.12加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发链接每次仅容许1并发,测试本地nginx:5个请求每次1并发,成功5个,失败0个,由于没有超出限制因此没有致使失败
limit_conn addr 1;
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1 Time taken for tests: 4.025 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
3.13加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发链接每次仅容许1并发,测试本地nginx:5个请求每次2并发,成功5个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 2 Time taken for tests: 4.012 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
这个结果不是预料的,照理说2并发它是不能能处理的,这里比较费解,不过无论他继续测。
3.14加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发链接每次仅容许1并发,测试本地nginx:5个请求每次5并发,成功2个,失败3个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 5 Time taken for tests: 4.010 seconds Complete requests: 5 Failed requests: 3 (Connect: 0, Length: 3, Exceptions: 0) Non-2xx responses: 5
这个结果说明,并发限制limit_conn addr 1是生效了的,否则不可能处理不了5并发。可是跟刚刚的处理2并发有矛盾,由于照理说它一样不可能处理2并发,无论他继续测。
3.15加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发链接每次仅容许1并发,测试本地nginx:5个请求每次3并发,成功5个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 3 Time taken for tests: 4.009 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
说明3并发也能处理。
3.16加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发链接每次仅容许1并发,测试本地nginx:5个请求每次4并发,成功5个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 4 Time taken for tests: 4.025 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
说明4并发也能处理。
3.17加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发链接每次仅容许1并发,测试本地nginx:10个请求每次4并发,成功6个,失败4个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 4 Time taken for tests: 13.057 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0) Non-2xx responses: 10
5请求4并发能处理,可是10请求4并发不能处理?不懂。估计得研究官方文档,常规思路是理解不了。无论它继续。
3.18加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发链接每次仅容许1并发,测试本地nginx:10个请求每次3并发,成功7个,失败3个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 3 Time taken for tests: 11.049 seconds Complete requests: 10 Failed requests: 3 (Connect: 0, Length: 3, Exceptions: 0) Non-2xx responses: 10
10请求3并发失败3个,4并发失败4个。
3.19加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发链接每次仅容许1并发,测试本地nginx:10个请求每次2并发,成功10个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 2 Time taken for tests: 9.001 seconds Complete requests: 10 Failed requests: 0 Non-2xx responses: 10
10请求3并发失败3个,4并发失败4个。2并发不失败。测到这里我再也不继续了,我也看过别人测试的博客,也说不清楚是什么缘由,总之跟预计划是不能彻底匹配的,可是测试也不是没有意义,至少配置策略之后会对访问进行必定的限制,所以在必定程度上能抵御DDOS的攻击。
- 1. nginx防止DDOS攻击配置
- 2. Nginx防止DDOS攻击方案
- 3. 服务器被ddos攻击?分析如何防止DDOS攻击?
- 4. nginx防止攻击
- 5. nginx 防DDOS攻击设置
- 6. 使用Nginx、Nginx Plus防止服务器DDoS攻击
- 7. CDN如何防止DDOS攻击的?CDN防DDOS攻击的原理
- 8. iptables 防止syn ddos ping攻击
- 9. 防止 DDoS 攻击的五个「大招」!
- 10. 如何有效的防止DDOS攻击
- 更多相关文章...
- • Docker 安装 Nginx - Docker教程
- • ionic 头部与底部 - ionic 教程
- • Git五分钟教程
- • 算法总结-二分查找法
-
每一个你不满意的现在,都有一个你没有努力的曾经。