nginx 如何阻断这种轻量级 DDoS

nginx 如何阻断这种轻量级 DDoS

我有一个与电影相关的 Wordpress 网站,它有一个大型数据库(大约 15 万个帖子)。在重要的流量时段,我们有时会遭受小规模 DDoS 攻击,导致网站速度极慢,甚至瘫痪几分钟。

这次 DDoS 攻击针对的是网站的搜索功能,由于帖子数量众多,该功能耗费了大量资源。

由于我对 nginx 中的正则表达式不是很熟悉,我想知道如何阻止这种模式的请求(我审查了 IP,但它显然是一个僵尸网络):

107.xxx.xxx.xxx - - [26/Jan/2015:20:48:24 +0000] "GET /?s=Dog%20Days%20Double%20Dash HTTP/1.1" 200 12921 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firef$
79.xx.xxx.xxx - - [26/Jan/2015:20:48:29 +0000] "GET /?s=Dog%20Days%27%27 HTTP/1.1" 200 12908 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
77.xxx.xxx.xx - - [26/Jan/2015:20:48:48 +0000] "GET /?s=DragonBall%20Z%3A%20Movie%206 HTTP/1.1" 200 12921 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
68.xxx.xxx.xxx - - [26/Jan/2015:20:48:51 +0000] "GET /?s=DragonBall%20Z%3A%20Movie%207 HTTP/1.1" 200 12920 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
87.1xx.xxx.xxx - - [26/Jan/2015:20:49:02 +0000] "GET /?s=DragonBall%20Z%3A%20Super%20Saiyajin%20Songoku HTTP/1.1" 200 12944 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"

这显然是一种攻击,因为搜索字符串由一些随机单词组成,中间有 %20 个空格。如果用户输入带有空格的搜索字符串,wordpress 会将其替换为“+”号。所以它看起来像这样“/s=word1+word2+word3...

我提供的示例只是这些请求的片段。访问日志中有数百个这样的请求接踵而至。有时每秒多达 30 个。此外,这些 IP 来自世界各地,而我的访客中约 90% 来自德语国家

我想也许可以屏蔽那些“%20”,因为来自用户有效搜索请求的空格将被 Wordpress 替换为“+”

以下是另一个包含完整 IP 的访问日志片段:

84.120.1.249 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2005 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
93.116.219.207 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%207 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
77.198.194.177 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2004 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
220.135.124.201 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Kai HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
93.199.176.64 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Detektiv%20Conan%20Film%202%20Das%2014.%20Ziel HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
122.117.101.17 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2003 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
81.48.128.58 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%207 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
94.248.215.168 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Detektiv%20Conan%20Film%2015%20Die%2015%20Minuten%20der%20Stille HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
87.97.29.170 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Dead%20Zone HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
79.5.183.62 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2010 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
2.8.52.254 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%208 HTTP/1.1" 499 0 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
151.32.105.251 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Detektiv%20Conan%20Film%2015%20Die%2015%20Minuten%20der%20Stille HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
88.167.158.37 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2012 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
175.142.209.188 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Detektiv%20Conan%20Movie%202%3A%20Das%2014.%20Ziel HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
24.150.82.126 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2005 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
80.99.0.149 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Dead%20Zone HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
109.192.242.158 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Kai HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
109.61.92.185 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%208 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
109.89.45.188 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2012 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
188.129.122.30 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Detektiv%20Conan%20Film%2015%20Die%2015%20Minuten%20der%20Stille HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
87.218.93.189 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2004 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
178.7.131.219 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Dead%20Zone HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"

答案1

好的,最后我只需将其添加到我的 nginx vhost 配置中即可阻止此 DDoS:

if ($arg_s ~ %20) { return 403; }

相关内容