You can set up a DDoS-protection tool that allows blocking IP addresses that send too many requests. This feature is available only on Nginx. For more information please refer to the article Install a web-server.
To enable the DDoS protection tool, open the WWW-domain edit form and select the Enable DDoS protection checkbox.
- Requests per second — if the limit is exceeded, requests from the IP address will be delayed for 5 minutes;
Maximum peak attack size — if the limit is exceeded, new requests will be blocked.
For more information please refer to the article Create a WWW-domain.
The ngx_http_limit_req_module module allows limiting the rate of requests by the specified key or requests from a certain IP address.
How it works
The module creates a zone for every domain and specifies the maximum peak attack size (burst). Extra requests are delayed until their number exceed the maximum peak. The request is terminated with error 503 (Service Temporarily Unavailable).
The settings are added into <path to the Nginx directory>/conf.d/isplimitreq.conf:
The zone size is calculated as follows:
E.g., if the requests per secondis500, the zone size is 500 * 64k, i.e. 32000k.
In <path to the Nginx directory>/vhosts-resources/<domain name>:
@blacklist — location for the redirect in case of error 503 (if the maximum number of requests from a certain IP address has been exceeded).
The location @blacklist section is created in <path to the Nginx directory>/vhosts-includes/blacklist-nginx.conf with the following contents:
IP address blocking
If the request limit is exceeded:
- The IP address that receives requests is sent to the /mancgi/ddos script. The script blocks the IP for 5 minutes.
The system blocks IP addresses using iptables for IPv4, ip6tables fro IPv6, and ipset.
The following rule is created in iptables
The following rule is created in ip6tables:
ispmgr_limit_req and ispmgr_limit_req6 with the following parameters are added into ipset hash:ip (IP address) and timeout 300 (block time is seconds).
The following record is added into the /usr/local/mgr5/var/ddos.log log:
Execute the command to check the list contents:
The "Members" filed of the command output will show blacklisted IPs and the time until unblocking.
Edit the block period
To change the block period, perform the following steps:
1. Add the following parameter to the ISPmanager configuration file (the default location is /usr/local/mgr5/etc/ispmgr.conf):
2. In iptables find the number of the ispmgr_limit_req src rule:
3. Delete the rule:
4. In ip6tables find the number of the ispmgr_limit_req6 src rule:
5. Delete the rule:
6. Delete the rules from ipset:
7. Update the firewall rules in ISPmanager: