I'm looking for advice on how to defend against HTTP flood attacks targeting my web server. I currently use NGINX and have set a limit allowing only 3 requests per second from each IP address. However, during testing, it still seems too lenient, as I can overwhelm other applications. What are your thoughts on this setup and what additional measures could I take?
5 Answers
If you're considering alternatives, Cloudflare's free tier with a WAF rule for managed challenges can help a lot. For something self-hosted, you might want to look into Anubis.
Honestly, 3 requests per second isn't very restrictive at all. In my experience, I’ve handled up to 5000 requests per second, which filled my logs in just hours. I ended up using Anubis as a solution.
Have you thought about using Cloudflare? Their services can help mitigate these kinds of attacks effectively.
It's really about finding the bottleneck. If it's bandwidth, you might need to upgrade. For compute power, consider adding caching or more servers. If it's a malicious attack, a web application firewall (WAF) is essential. A service like Cloudflare can be crucial if your connection is overwhelmed!
Rate limiting per IP is a decent first step, but it usually isn't adequate for HTTP floods since attackers change IPs frequently. One effective strategy we've used is to set stricter limits on more 'expensive' endpoints, like those hitting the database.
Yeah, 3 requests per second feels like a couple of folks sharing the app from the same office. You might need to tighten that up.