HTTP flood drop with nginx
by Emile `iMil' Heitor - 2020-03-21
The other day at ${DAYWORK}
we got hit by a simple yet efficient DDoS attack, basically, there were lots of regular HTTP
queries with a specific query parameter but using either GET
, POST
or HEAD
methods:
www.customer.com:443:80 174.76.48.233 - - [19/Mar/2020:17:26:11 +0000] "POST /?=Best_HTTP_Flooder_For_FREE_by_PassDDoS&9716 HTTP/1.0" 200 62861 "http://validator.w3.org/feed/check.cgi?url=https://www.customer.com"
Fortunately, the parameter was always the same, and as we use an nginx reverse proxy farm in front of our customer’s websites, we could deploy this simple trick in order to get rid of the attack:
if ( $args ~ "Best_HTTP" ) { return 419; }
Adding this rule to the location /
section got rid of the attack.