HTTP flood drop with nginx

The other day at ${DAYWORK} we got hit by a simple yet efficient DDoS attack, basically, there were lots of regular HTTP queries with a specific query parameter but using either GET, POST or HEAD methods:

www.customer.com:443:80 174.76.48.233 - - [19/Mar/2020:17:26:11 +0000] "POST /?=Best_HTTP_Flooder_For_FREE_by_PassDDoS&9716 HTTP/1.0" 200 62861 "http://validator.w3.org/feed/check.cgi?url=https://www.customer.com" 

Fortunately, the parameter was always the same, and as we use an nginx reverse proxy farm in front of our customer’s websites, we could deploy this simple trick in order to get rid of the attack:

if ( $args ~ "Best_HTTP" ) { return 419; }

Adding this rule to the location / section got rid of the attack.