ok, finalmente consegui bloquear esse DDoS simplesmente adicionando isso à minha configuração niganx vhost:
if ($arg_s ~ %20) { return 403; }
Eu tenho um site Wordpress relacionado a filmes rodando com um grande banco de dados (cerca de 150 mil posts). Durante alguns dias, durante as importantes horas de tráfego, somos atingidos por um DDoS de pequena escala que diminui a velocidade do site ou faz com que ele diminua por alguns minutos.
Este ataque DDoS tem como alvo a função de pesquisa do nosso site, que usa muitos recursos devido a muitos posts.
Como não estou muito familiarizado com a regex no nginx, queria saber como bloquear essas solicitações (censurei os IPs, mas é claramente uma botnet):
107.xxx.xxx.xxx - - [26/Jan/2015:20:48:24 +0000] "GET /?s=Dog%20Days%20Double%20Dash HTTP/1.1" 200 12921 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firef$
79.xx.xxx.xxx - - [26/Jan/2015:20:48:29 +0000] "GET /?s=Dog%20Days%27%27 HTTP/1.1" 200 12908 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
77.xxx.xxx.xx - - [26/Jan/2015:20:48:48 +0000] "GET /?s=DragonBall%20Z%3A%20Movie%206 HTTP/1.1" 200 12921 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
68.xxx.xxx.xxx - - [26/Jan/2015:20:48:51 +0000] "GET /?s=DragonBall%20Z%3A%20Movie%207 HTTP/1.1" 200 12920 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
87.1xx.xxx.xxx - - [26/Jan/2015:20:49:02 +0000] "GET /?s=DragonBall%20Z%3A%20Super%20Saiyajin%20Songoku HTTP/1.1" 200 12944 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
é claramente um ataque porque a string de pesquisa consiste em algumas palavras aleatórias com esses% 20 espaços entre eles. Se um usuário inserir uma string de pesquisa com espaços em branco, o wordpress os substituirá por "+". então ficaria assim "/ s = word1 + word2 + word3 ...
O exemplo que forneci é apenas um fragmento dessas solicitações. No log de acesso são centenas dessas solicitações após o outro. às vezes até 30 por segundo. Além disso, esses ips vêm de todo o mundo, e cerca de 90% dos meus visitantes vêm de países de língua alemã
Pensei em talvez bloquear os "% 20", pois os espaços em branco provenientes de solicitações de pesquisa válidas de usuários serão substituídos por "+" pelo Wordpress
aqui está outro trecho do log de acesso com ips completos:
84.120.1.249 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2005 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
93.116.219.207 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%207 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
77.198.194.177 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2004 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
220.135.124.201 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Kai HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
93.199.176.64 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Detektiv%20Conan%20Film%202%20Das%2014.%20Ziel HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
122.117.101.17 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2003 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
81.48.128.58 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%207 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
94.248.215.168 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Detektiv%20Conan%20Film%2015%20Die%2015%20Minuten%20der%20Stille HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
87.97.29.170 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Dead%20Zone HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
79.5.183.62 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2010 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
2.8.52.254 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%208 HTTP/1.1" 499 0 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
151.32.105.251 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Detektiv%20Conan%20Film%2015%20Die%2015%20Minuten%20der%20Stille HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
88.167.158.37 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2012 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
175.142.209.188 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Detektiv%20Conan%20Movie%202%3A%20Das%2014.%20Ziel HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
24.150.82.126 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2005 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
80.99.0.149 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Dead%20Zone HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
109.192.242.158 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Kai HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
109.61.92.185 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%208 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
109.89.45.188 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2012 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
188.129.122.30 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Detektiv%20Conan%20Film%2015%20Die%2015%20Minuten%20der%20Stille HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
87.218.93.189 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2004 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
178.7.131.219 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Dead%20Zone HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
ok, finalmente consegui bloquear esse DDoS simplesmente adicionando isso à minha configuração niganx vhost:
if ($arg_s ~ %20) { return 403; }