If you dig through some old posts, it was established that the deny feature of nginx isn't very effective at limiting network activity. I deny at the firewall.
What remains is if you should deny dynamically or statically. Original Message From: c0nw0nk Sent: Tuesday, September 27, 2016 11:42 AM To: [email protected] Reply To: [email protected] Subject: Re: 444 return code and rate limiting It is a response by the time the 444 is served it is to late a true DDoS is not about what the server outputs its about what it can receive you can't expect incoming traffic that amounts to 600Gbps to be prevented by a 1Gbps port it does not work like that Nginx is an Application preventing any for of DoS at an application level is a bad idea it needs to be stopped at a router level before it hits the server to consume your receiving capacity of 1Gbps. Adding IP address denies for DDoS to the Nginx .conf file at the application level is to late still also the connection has been made the request headers / data of 100kb or less what ever the client sent has been received on your 1Gig port its already consuming your connection. The only scenario I can think of where returning 444 is a good idea is under a single IP flooding "DoS" because then your not increasing your ports bandwidth output responding to someone who is opening and closing a connection, But in this scenario its more like they are trying to make your server DoS itself by making it max out its own outgoing bandwidth to just their connection alone so nobody else can receive anything. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269873,269879#msg-269879 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
