Yeah I agree, basically it is not easy to take down nginx with such an attack. The question is still there, what kind of limitations do we have to put in place to avoid such an abuser?<div><br></div><div>My consideration:</div>
<div><br></div><div>-firewall -> max connection by ips</div><div>-firewall -> syn proxy(to avoid syn attacks)</div><div>-firewall -> connection rate</div><div>-OS -> max open sockets by processes </div><div>-OS -> tcp/ip stack tuning, allocated memory</div>
<div>-OS -> max CPU time</div><div>-OS -> max used memory(slightly different terminology all across unixes)</div><div>-webserver-> max fds, running workers etc.</div><div><br></div><div><br></div><div>Basically you have to have a multi layer limitation to avoid resource abusing and then you can sleep well :)</div>
<div><br></div><div><br></div><div>Regards,</div><div>Istvan</div><div><br><br><div class="gmail_quote">On Tue, Jun 23, 2009 at 9:09 AM, Weibin Yao <span dir="ltr"><<a href="mailto:nbubingo@gmail.com">nbubingo@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">István at 2009-6-23 15:46 wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
I am not able to reproduce this. The server is answering and serving<br>
<br></div>
./slowloris.pl -dns <a href="http://doma.in" target="_blank">doma.in</a> <<a href="http://doma.in" target="_blank">http://doma.in</a>> -port 80 -timeout 2 -num 10000<div class="im"><br>
<br>
The load is zero, there is not even a delay in the response time. Would you mind to share your slowloris.pl command and/or the nginx relevant config, OS type and version, sysctl.conf(or equivalent).<br>
<br>
It would be also nice to know what the nginx is doing in that time, do you have dtrace on that node? Enable debug level logging in nginx is a really bad idea if you have 5000 requests...<br>
<br>
/"But if you have enough attack computers, you also can make a Nginx server deny service."/<br>
/<br>
/<br></div>
If you have enough computer you can take down even <a href="http://google.com" target="_blank">google.com</a> <<a href="http://google.com" target="_blank">http://google.com</a>>, this is not relevant to this conversation, moreover the slowloris is a dedicated tool to low bandwith/low amount of computers attacks.<br>
<br>
</blockquote>
I'm sorry for my misunderstanding with your last mail. My meaning is that Nginx has much better performance under such attack.<br>
<br>
In my test case, I reduce the worker_connections to only 1024 because I just have one attack computer.<br>
<br>
And my test script is:<br>
./slowloris.pl -dns <a href="http://doma.in" target="_blank">doma.in</a> <<a href="http://doma.in" target="_blank">http://doma.in</a>> -port 80 -timeout 30 -num 10000 -tcpto 5<br>
:-P<br>
<br>
-- <br><font color="#888888">
Weibin Yao<br>
<br>
<br>
<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>the sun shines for all<br>
</div>