Ispmanager 6 lite, pro, host documentation

/
/
/
/
DDoS protection

DDoS protection

DDoS is a cyber-attack in which an attacker floods a server or a resource with numerous requests to overload it and make it unavailable for other requests.

In ispmanager, you can enable DDoS-protection using a web-server. Protection can be configured if you are using Nginx or OpenLiteSpeed.

Nginx blocks access to the server from an IP-address completely, while OpenLiteSpeed limits the bandwidth for an IP.

Enable DDoS protection

On the site edit form, go to Optimization and DDoS protection, check the Enable DDoS protection box and set its parameters.

Parameters for Nginx

  • Requests per second (rate) — maximum number of requests from an IP-address Nginx will be able to process per second.
  • Maximum peak attack size (burst) — maximum number of requests from an IP-address that can be queued.

Parameters for OpenLiteSpeed

  • Requests per second — maximum number of requests from an IP-address that can be processed per second. After this number is reached, all superfluous requests from this IP will be blocked until the next second.
  • Bandwidth, byte/sec — maximum allowable bandwidth per IP-address. The actual bandwidth can be slightly higher due to optimization. The value is rounded up in 4KB increments. Setting the value to 0 disables this limit.

The following directives are used in OpenLiteSpeed configuration files:

  • staticReqPerSec XXX — limits the number of static requests per second;
  • dynReqPerSec XXX — limits the number of dynamic requests per second;
  • outBandwidth XXX — limits the outgoing throughput;
  • inBandwidth XXX — limits the incoming throughput.

Technical details for Nginx

The protection is implemented using ngx_http_limit_req_module, which allows limiting the rate of requests by the specified key or requests from a certain IP-address.

Requests limiting

From ispmanager 6.74.0, limiting only applies to dynamic requests.

1. Setting a shared memory zone.

When DDoS protection is enabled, a shared memory zone (zone) and a maximum request processing rate (rate) are set up in the configuration file <path to Nginx directory>/conf.d/isplimitreq.conf 

limit_req_zone $binary_remote_addr zone=<website name>:<zone size> rate=<number of requests per second>r/s
Details

The shared memory zone stores the information about requests from each IP-address and allows tracking their number over a period of time.  

Details

2. Processing incoming requests.

When a client sends a request to a website, it is processed based on the website configuration file /etc/nginx/vhosts/<username>/<website name>.conf. If dynamic content is requested, the request is handled by the @fallback location:

}
		location ~ [^/]\.ph(p\d*|tml)$ {
			try_files /does_not_exists @fallback;
		}
		location / {
			try_files /does_not_exists @fallback;
		}
	}
	location @fallback {
		include /etc/nginx/vhosts-resources/example.ru/dynamic/*.conf;

3. Applying the limit.

The @fallback location uses directives from the file <path to Nginx directory>/vhosts-resources/<website name>/dynamic/reqlimit.conf: 

limit_req_status 429;
error_page 429 @blacklist;
limit_req zone=<website name> burst=<maximum burst size>;

The request gets into the shared memory zone. If the request rate per second from a certain IP exceeds the limit, the superfluous requests are queued and slowed down. If the number of queued requests exceeds the burst value, the web server returns error 429 (Too Many Requests) and the request is redirected to the @blacklist location.

4. Blacklisting.

@blacklist is located in the <path to Nginx directory>/vhosts-includes/blacklist-nginx.conf:

location @blacklist {
	proxy_redirect off ;
	proxy_pass http://unix:/usr/local/mgr5/tmp/ddos.sock;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X_ISP_FIREWALLSEC <ключ для ispmanager>;
	}

The requests handled by @blacklist are redirected by Nginx to the ddos.sock socket file. The socket is used by the ddos process, which blocks IP-addresses.

IP-address blocking 

IP-addresses are blocked using the utilities:

  • iptables for IPv4-addresses;
  • ip6tables for IPv6-addresses;
  • ipset.
The ipset utility is not available on OpenVZ. Therefore, you can use only tools provided by Nginx.

During ispmanager initial setup, two sets are created in ipset: ispmgr_limit_req (for IPv4-addresses) and ispmgr_limit_req6 (for IPv6-addresses):

ispmgr_limit_req
Name: ispmgr_limit_req
Type: hash:ip
Revision: <number_of_revision>
Header: family inet hashsize <hashsize> maxelem <maximum_number_of_elements> timeout <time> bucketsize <size_of_bucket> initval <initial_value>
Size in memory: <memory_size>
References: <number_of_references_to_hash_table>
Number of entries: <number_of_entries_in_hash_table>
Members: <entries>
ispmgr_limit_req6
Name: ispmgr_limit_req6
Type: hash:ip
Revision: <number_of_revision>
Header: family inet6 hashsize <hashsize> maxelem <maximum_number_of_elements> timeout <time> bucketsize <size_of_bucket> initval <initial_value>
Size in memory: <memory_size>
References: <number_of_references_to_hash_table>
Number of entries: <number_of_entries_in_hash_table>
Members: <entries>
Details

In iptables and ip6tables, rules are created, which are used to block the addresses from the sets:

iptables
DROP all -- anywhere anywhere match-set ispmgr_limit_req src
ip6tables
DROP all -- anywhere anywhere match-set ispmgr_limit_req6 src
Details

Blocked IP-addresses are added to the log /usr/local/mgr5/var/ddos.log:

IP-addresses are blocked as follows:

  1. When the number of superfluous requests exceeds the maximum burst size, it starts the ddos process.
  2. ddos calls ipset.
  3. The IP-address which the superfluous requests come from is added to a set in ipset and to the log.
  4. The rules in iptables and ip6tables block packets from this IP-address.

To see the list of blocked addresses, run one of the commands:

For IPv4-addresses
ipset -L ispmgr_limit_req
For IPv6-addresses
ipset -L ispmgr_limit_req6
Details

Edit the block period

By default, IP-addresses which superfluous requests come from are blocked for 300 seconds (5 minutes). To change the block period:

1. Add the following parameter to the ispmanager configuration file (the default location is /usr/local/mgr5/etc/ispmgr.conf):

isp_limitreq_timeout <block period in seconds>

2. In iptables find the number of the ispmgr_limit_req src rule:

iptables -L INPUT --line-numbers

3. Delete the rule:

iptables -D INPUT <rule number>
Details

4. In ip6tables find the number of the ispmgr_limit_req6 src rule:

ip6tables -L INPUT --line-number

5. Delete the rule: 

ip6tables -D INPUT <rule number>
Details

6. Delete the rules from ipset:

ipset destroy ispmgr_limit_req
ipset destroy ispmgr_limit_req6

7. Update the firewall rules in ispmanager:

/usr/local/mgr5/sbin/mgrctl -m ispmgr firewall

 

In this article