Products
Edge AI
AI Training
GPU Cloud
GPU CloudBoost AI/ML training with servers powered by NVIDIA
AI Applications
Image Generator
Image GeneratorCreate realistic and stunning images with ease
Speech-to-Text Translator
Speech-to-Text TranslatorTranslate from English to Luxembourgish seamlessly
Edge Cloud
Compute
Basic VMs
Basic VMsManage workloads on affordable shared virtual servers
Virtual Machines
Virtual MachinesRun apps on customizable dedicated virtual servers
Bare Metal
Bare MetalDeploy apps on powerful dedicated physical servers
Containers
Managed Kubernetes
Managed KubernetesDeploy, manage, and scale Kubernetes clusters easily
Container as a Service
Container as a ServiceRun containerized apps without server provisioning
Function as a Service
Function as a ServiceExecute serverless code functions efficiently
Networking
Load Balancer
Load BalancerRoute traffic optimally to improve app performance
5G Network
5G NetworkDeploy apps and securely connect mobile devices via 5G
Virtual Private Cloud
Virtual Private CloudManage resources in a secure isolated private cloud
Hosting
Virtual Servers
Virtual ServersHost on virtual servers with no traffic restrictions
Dedicated Servers
Dedicated ServersHost on physical servers with worldwide availability
Storage
Object Storage
Object StorageStore data in fast and scalable S3-compatible storage
File Shares
File SharesShare files across servers easily using NFS protocol
Databases
Managed PostgreSQL
Managed PostgreSQLProvision fully managed PostgreSQL databases with ease
Monitoring
Managed Logging
Managed LoggingCollect, store, and analyze application logs
About Edge Cloud
Edge Network
Application Performance
CDN
CDNAccelerate dynamic and static content delivery
FastEdge
FastEdgeDeploy serverless apps with low-latency edge computing
Media Delivery
Video Streaming
Video StreamingDeliver high-quality live and on-demand video at scale
DNS
Managed DNS
Managed DNSEnsure application availability with authoritative DNS
Public DNS
Public DNSProtect online privacy with a free DNS resolver
About Edge Network
Edge Security
Network Security
DDoS Protection
DDoS ProtectionProtect your infrastructure from evolving DDoS attacks
Application Security
Web Application Security
Web Application SecuritySafeguard web resources against attacks and threats
WAAP
WAAPSecure apps and APIs from DDoS, bots and OWASP attacks
Solutions
By Industry
Gaming
CDN for Gaming
Game Server Protection
Game Development
Retail
CDN for E-commerce
Media & Entertainment
CDN for Video
Metaverse Streaming
TV & Online Broadcasters
Sport Broadcasting
Online Events
Financial Services
Cloud for Financial Services
Technology
Image Optimization
Web Acceleration
Wordpress CDN
Education
AI Universities
Online Education
By Need
Web Acceleration
Web Acceleration
Image Optimization
Wordpress CDN
Security
Game Server Protection
Video Streaming
CDN for Video
Video Hosting
Live Streaming
Video Calls
Availability
Multi-CDN
Cloud
Web Service
Game Development
Online Store
Migration to the Cloud
ERP in the Cloud
Pricing
Resources
Resources
Blog
Customer Stories
White Papers
Events
Documentation
Docs
API
Product Roadmap
Help Center
Tools
Looking Glass
Speed Test
Developer Tools
Gcore Status
Partners
Partners
Intel
Intel | New CPU Generation
Intel | Ice Lakes
Hesp
Equinix
InData Labs
Ampere
Unum
Programs
White Label Program
Referral Program
Why Gcore
Company
About Gcore
Press
Awards
Careers
Platform
Network
Infrastructure
Internet Peering Points
Compliance
Legal Information
Under attack?Under attack?
en
Contact usContact us
Contact us

Select the Gcore Platform

Recommended
Gcore Edge Solutions Go to Gcore Platform → Go to Gcore Platform →

Products:

  • Edge Delivery (CDN)
  • DNS with failover
  • Virtual Machines
  • Bare Metal
  • Cloud Load Balancers
  • Managed Kubernetes
  • AI Infrastructure
  • Edge Security (DDOS+WAF)
  • FaaS
  • Streaming
  • Object Storage
  • ImageStack (Optimize and Resize)
  • Edge Compute (Coming soon)
Show full list
Gcore Hosting Go to Gcore Hosting →
  1. Home
  2. Learning
  3. How to Protect from DDoS Attacks with Nginx

How to Protect from DDoS Attacks with Nginx

June 30, 2023 6 min read
How to Protect from DDoS Attacks with Nginx

Distributed denial-of-service (DDoS) attacks are a serious threat to any online business or web application. In this article, we take a closer look at application-layer attacks and explain how to use Nginx to protect against them. We provide instructions and code snippets to help you configure the Nginx reverse proxy instance to confidently defend your online presence against DDoS attacks at the application layer.

Application-Layer DDoS Attacks

Application-layer attacks, also known as layer 7 DDoS attacks, target the top layer of the OSI (Open Systems Interconnection) model, the application layer, where common internet requests such as HTTP GET and HTTP POST occur. These attacks are particularly effective as they consume both server and network resources, causing significant disruption with less total bandwidth compared to other types of DDoS attacks. Additionally, application layer attacks are often more sophisticated and harder to detect and mitigate than other types of DDoS attacks.

Examples of application layer attacks:

  • HTTP flood: An HTTP flood involves sending a large number of HTTP requests to the target, for example, using a botnet or a network of compromised devices. The target may become unavailable if it is unable to process a large number of requests.
  • Slowloris: Slowloris is a type of application-layer attack that involves sending partial HTTP requests to the target and keeping the connections open for as long as possible. This can exhaust the resources of the target. For example, the code perl slowloris.pl -dns 192.0.2.1 uses a Perl-based Slowloris.pl tool to initiate a Slowloris attack against the target web server at IP address 192.0.2.1 by sending partial HTTP requests and keeping the connections open for an extended period of time, making the target unavailable.

DDoS Protection or Mitigation with Nginx

Nginx is a high-performance, stable, and resource-efficient open source web server and reverse proxy. It can be configured to act as a load balancer, reverse proxy, and HTTP cache and is often used by web-based applications to handle large amounts of traffic.

DDoS protection, or DDoS mitigation, is the process of protecting a network or system from DDoS attacks. This can involve a variety of measures, including setting up firewalls and load balancers to filter out malicious traffic, implementing rate limiting to prevent excessive requests, and using cloud-based DDoS protection services to absorb and filter out malicious traffic.

Using Nginx for DDoS protection can be an effective way to protect your servers from DDoS attacks. By configuring Nginx as a reverse proxy and implementing appropriate rate limiting and timeout parameters, you can absorb and mitigate the impact of DDoS attacks and help protect your servers from being overwhelmed by malicious traffic. The following sections cover several methods you can use to implement DDoS protection using Nginx.

Limiting the Number of Connections

Limiting the number of connections that can be made from a single IP address can help prevent a single source from flooding your servers with requests. You can implement this method with Nginx using the limit_conn directive.

For example, the following configuration limits the number of connections to 100 per IP address:

limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
server {
    ...
    limit_conn conn_limit_per_ip 100;
}

When setting a limit on connections to protect against DDoS attacks, you need to find the right balance between protection and performance. Setting the limit too low can harm legitimate users, while setting it too high won’t effectively protect against attacks. Setting the limit to a low number, such as 10 or 20, is a good starting point, and then you can gradually increase it until you find the sweet spot that works for your server. Determining your sweet spot involves monitoring your server’s performance and making adjustments based on how it handles incoming traffic. You also need to consider the number of NAT clients while configuring the limit, as this can affect the number of connections. As a general recommendation, you should test your application with a variety of connection limits to find the optimal value that offers both protection and performance.

This method can effectively protect against DDoS attacks that involve a large number of connections, such as SYN floods.

Limiting the Request Size

You can use the limit_req directive to limit request rates in Nginx. This directive limits the request rate to a specified number of requests per second for a particular key, which is typically based on the client’s IP address.

The following is an example configuration that limits the request rate to 10 requests per second per IP address:

limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;
server {
    ...
    limit_req zone=req_limit_per_ip burst=10 nodelay;
}

In this example, the limit_req_zone directive defines the rate limit zone, and the rate parameter sets the limit to five requests per second (10r/s). The ‘burst‘ parameter specifies the number of requests that are allowed to exceed the limit, and the nodelay parameter ensures that requests that exceed the limit are immediately rejected.

Your request rate limit should be fine-tuned to find the appropriate threshold that works for your application. You should start with a relatively low number of requests per second, such as five requests per second per IP address, and gradually increase the request rate until you find the optimal threshold.

Your server’s CPU and RAM consumption should also be monitored while fine-tuning the request rate limit. If the server is under too much load, you may need to reduce the request rate limit to prevent performance issues.

When implementing request rate limiting, you should choose an appropriate limit key that identifies the source of the request. The ‘limit_req_zone‘ directive defines the rate limit zone and the key used to identify the request.

By default, the ‘$binary_remote_addr‘ variable is used as the limit key, which is based on the client’s IP address. However, if your website uses a proxy or load balancer, you may need to use a different variable or combination of variables to ensure that the rate limit is applied correctly.

For example, if your website is behind a load balancer, you can use the ‘X-Forwarded-For‘ header as the limit key to identify the client’s IP address. The following is an example configuration that uses the X-Forwarded-For header as the limit key:

limit_req_zone $http_x_forwarded_for zone=req_limit_per_ip:10m rate=10r/s;
server {
    ...
    limit_req zone=req_limit_per_ip burst=5 nodelay;
}

Nginx Timeout Parameters

Setting limits on how long Nginx will wait for certain events to occur, such as establishing a connection or receiving a response from a server, can prevent resources from being consumed by connections that take too long to complete.

You can use the proxy_connect_timeout, proxy_send_timeout, and proxy_read_timeout directives to implement this method. For example, the following configuration sets the timeout parameters to 10 seconds:

server {
    ...
    proxy_connect_timeout10s;
    proxy_send_timeout 10s;
    proxy_read_timeout 10s;
}

However, these timeout parameters need to be chosen with care. If they are set too low, legitimate connections may be terminated prematurely. For the appropriate timeout value for your server, you also need to consider the average response time of your server and the maximum response time your users are willing to tolerate. Monitor your server logs, track response time metrics, and adjust the timeout parameters accordingly to find the right balance between security and usability.

This method can be effective at protecting against DDoS attacks that involve slow connections, such as Slowloris attacks.

Blacklisting and Whitelisting IP Ranges

Blacklisting and whitelisting IP ranges is a method of DDoS protection that involves specifying which IP addresses are allowed or denied access to your servers. Blacklisting involves blocking access to a particular range of IP addresses, while whitelisting involves only allowing access to a particular range of IP addresses.

To implement this method using Nginx, you can use the deny and allow directives. For example, the following configuration blocks access to all IP addresses except for those in the 192.0.2.0/24 range:

server {
    ...
    deny all;
    allow 192.0.2.0/24;
}

These directives must be used carefully, as blocking access to certain IP ranges could potentially affect legitimate users. When defining which IPs to block, monitor server logs for patterns of excessive requests from specific IPs, refer to IP reputation databases for known malicious IPs, and consider using geolocation data to block IP ranges associated with a high rate of DDoS attacks.

This could be useful if you’re experiencing a DDoS attack from a specific IP range or even from a specific country.

Blocking Access to a File Targeted by a DDoS Attack

Blocking access to a file targeted by a DDoS attack is a method of protection that involves denying access to a particular file or resource that is being targeted by the attack. This can help prevent the targeted file or resource from being overwhelmed and ensure that your servers remain available to legitimate users.

To implement this method using Nginx, you can use the location directive. For example, the following configuration blocks access to a file called targeted.txt:

server {
    ...
    location /targeted.txt {
        deny all;
    }
}

One way to protect against DDoS attacks is to block access to files that are not necessary for your website’s functionality. These could include backup files, resource-intensive media files, git files, source code directories, and configuration files, all of which could be potential targets for malicious access.

However, you need to make sure you don’t block access to critical files such as marketing pages and static files that are essential for your website’s functionality, as this could cause issues for legitimate users. Therefore, you should review your website’s file structure and identify which files could be potential targets for DDoS attacks.

This method can protect against DDoS attacks that involve targeting a particular file or resource, such as file injection attacks. However, it may not be effective against other types of attacks, such as volumetric attacks.

Conclusion

By following the instructions and code snippets we’ve provided in this article, you can effectively use Nginx to implement a variety of DDoS protection measures. With these measures, you can help ensure that your web application remains available and accessible to legitimate users, even in the face of a DDoS attack.

If you’re looking for an all-in-one DDoS solution at the L3, L4, and L7 layers, check out Gcore DDoS Protection. Out solution has over 1 Tbps total filtering capacity and blocks DDoS attack from the first request by sessions, not IPs. Keeps your websites, servers, and apps safe with us!

Request free trial of Gcore DDoS Protection

Written by Raushan Raj

Table of contents

Try Gcore DDoS Protection

Related articles

Best Practices for Multitenant SaaS Application Using Gcore Managed Kubernetes
Best Practices for Multitenant SaaS Application Using Gcore Managed Kubernetes
Many organizations host their software-as-a-service (SaaS) applications on a managed Kubernetes service using multitenant architecture. This architecture isolates computing, network,...
May 3, 2024 4 min read
Ways to Harm: Understanding DDoS Attacks from the Attacker’s View
Ways to Harm: Understanding DDoS Attacks from the Attacker’s View
Distributed denial-of-service (DDoS) attacks pose a significant challenge to digital security, aiming to overload systems with traffic and disrupt service....
April 19, 2024 8 min read
The Complete Guide to AI Model Cycle
The Complete Guide to AI Model Cycle
In today’s competitive market, many companies are looking to leverage Artificial Intelligence to tailor services perfectly to each customer’s preferences...
April 18, 2024 5 min read
Comprehensive Guide to Multi-Layered DDoS Protection Strategies
Comprehensive Guide to Multi-Layered DDoS Protection Strategies
Distributed denial-of-service (DDoS) attacks are becoming more sophisticated, employing a multi-pronged approach to overwhelm target systems. These attacks exploit vulnerabilities...
April 11, 2024 6 min read
How to Deploy AI Models at the Edge: Its Challenges and Effective Solutions
How to Deploy AI Models at the Edge: Its Challenges and Effective Solutions
Deploying AI models at the edge brings more innovative solutions closer to where data originates—whether in retail for personalized shopping...
April 10, 2024 4 min read
DDoS Attacks on Fintech: Business Impact and Mitigation Strategies
DDoS Attacks on Fintech: Business Impact and Mitigation Strategies
Financial technology (fintech) companies are changing how people manage and access their finances through innovative solutions. Since fintech companies are...
April 2, 2024 5 min read
How to Protect Your APIs from Security Threats
How to Protect Your APIs from Security Threats
In the ever-evolving tech landscape, APIs stand at the forefront, allowing seamless interaction between diverse software platforms. But here’s the...
March 29, 2024 3 min read
How to Perform Video Content Analysis for Insightful Data Extraction
How to Perform Video Content Analysis for Insightful Data Extraction
Ever wondered what secrets your video content holds? This guide is your friendly intro to the world of video content...
March 28, 2024 5 min read

Subscribe and discover the newest
updates, news, and features

We value your inbox and are committed to preventing spam