You can set up a DDoS-protection tool that allows blocking IP addresses that send too many requests. This feature is available only on Nginx. For more information please refer to the article Install a web-server.
To enable the DDoS protection tool, open the WWW-domain edit form and select the Enable DDoS protection checkbox.
For more information please refer to the article Create a WWW-domain.
The ngx_http_limit_req_module module allows limiting the rate of requests by the specified key or requests from a certain IP address.
The module creates a zone for every domain and specifies the maximum peak attack size (burst). Extra requests are delayed until their number exceed the maximum peak. The request is terminated with error 503 (Service Temporarily Unavailable).
The settings are added into
Nginx configuration file
limit_req_zone $binary_remote_addr zone=<WWW-domain name>:<zone size> rate=<requests per second>r/s
In
Nginx configuration file
limit_req zone=<WWW-domain name> burst=<Maximum peak attack size>;
error_page 503 =429 @blacklist;
The location @blacklist section is created in
Nginx configuration file
location @blacklist {
proxy_redirect off ;
proxy_pass https://<IP address>:<port>;
rewrite (.*) /mancgi/ddos break;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X_ISP_FIREWALLSEC <key for ISPmanager>;
If the request limit is exceeded:
Note: ipset is not available on OpenVZ. Therefor, you can use only tools provided by Nginx
The following rule is created in iptables
DROP all -- anywhere anywhere match-set ispmgr_limit_req src
The following rule is created in ip6tables:
ip6tables
DROP all -- anywhere anywhere match-set ispmgr_limit_req6 src
ispmgr_limit_req and ispmgr_limit_req6 with the following parameters are added into ipset hash:ip (IP address) and timeout 300 (block time is seconds).
The following record is added into the /usr/local/mgr5/var/ddos.log log:
Block log
WARNING Address (<IP address>) is blacklisted
Execute the command to check the list contents:
ipset -L ispmgr_limit_req
The "Members" filed of the command output will show blacklisted IPs and the time until unblocking.
To change the block period, perform the following steps:
1. Add the following parameter to the ISPmanager configuration file (the default location is /usr/local/mgr5/etc/ispmgr.conf):
ISPmanager configuration file
isp_limitreq_timeout <block period in seconds>
2. In iptables find the number of the ispmgr_limit_req src rule:
iptables -L INPUT --line-numbers
3. Delete the rule:
iptables -D INPUT <rule number>
4. In ip6tables find the number of the ispmgr_limit_req6 src rule:
ip6tables -L INPUT --line-number
5. Delete the rule:
ip6tables -D INPUT <rule number>
6. Delete the rules from ipset:
ipset destroy ispmgr_limit_req
ipset destroy ispmgr_limit_req6
7. Update the firewall rules in ISPmanager:
/usr/local/mgr5/sbin/mgrctl -m ispmgr firewall