You can set up a DDoS-protection tool that allows blocking IP addresses that send too many requests. Enabling protection is only available if the Nginx or OpenLiteSpeed web server is installed. Nginx completely blocks access to the server from the IP address, while OpenLiteSpeed limits bandwidth for the IP address. For more information please refer to the article Install a web-server.
To enable the DDoS protection tool, open the edit form, select the checkbox and specify its parameters:
.aNumber of from one IP address — if this parameter is exceeded, the IP address is blocked for 5 minutes.
.b — the number of requests per second above which new requests are blocked.
.aNumber of from one IP address — if this parameter is exceeded, the bandwidth for the IP address is limited.
.b — the bandwidth for the IP address. The actual throughput may be slightly higher than this setting. The value will be rounded in 4 Kb increments. To not limit the speed, enter 0.
The module allows limiting the rate of requests by the specified key or requests from a certain IP address.
The module creates a zone for every domain and specifies the maximum peak attack size (burst). Extra requests are delayed until their number exceeds the maximum peak. The request is terminated with error 503 (Service Temporarily Unavailable).
The settings are added into :
limit_req_zone $binary_remote_addr zone=<WWW-domain name>:<zone size> rate=<requests per second>r/s
Comments
The zone size is calculated as follows:
<requests per second> * 64k
E.g., if the requests per second is 500, the zone size is 500 * 64k, i.e. 32000k.
In :
limit_req zone=<WWW-domain name> burst=<Maximum peak attack size>;
error_page 503 =429 @blacklist;
Details
@blacklist — location for the redirect in case of error 503 (if the maximum number of requests from a certain IP address has been exceeded).
The location @blacklist section is created in with the following contents:
location @blacklist {
proxy_redirect off ;
proxy_pass https://<IP address>:<port>;
rewrite (.*) /mancgi/ddos break;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X_ISP_FIREWALLSEC <key for ISPmanager>;
If the request limit is exceeded:
.1 The IP address that receives requests is sent to the script. The script blocks the IP for 5 minutes.
.2The system blocks IP addresses using iptables for IPv4, ip6tables for IPv6, and ipset.
Note: ipset is not available on OpenVZ. Therefor, you can use only tools provided by nginix
The following rule is created in iptables
DROP all -- anywhere anywhere match-set ispmgr_limit_req src
The following rule is created in ip6tables:
DROP all -- anywhere anywhere match-set ispmgr_limit_req6 src
ispmgr_limit_req and ispmgr_limit_req6 with the following parameters are added into ipset hash:ip (IP address) and timeout 300 (block time in seconds).
The following record is added to the log:
WARNING Address (<IP address>) is blacklisted
Execute the command to check the list contents:
ipset -L ispmgr_limit_req
The "Members" field of the command output will show blacklisted IPs and the time until unblocking.
To change the block period, perform the following steps:
1. Add the following parameter to the ISPmanager configuration file (the default location is /usr/local/mgr5/etc/ispmgr.conf):
isp_limitreq_timeout <block period in seconds>
2. In iptables find the number of the ispmgr_limit_req src rule:
iptables -L INPUT --line-numbers
3. Delete the rule:
iptables -D INPUT <rule number>
4. In ip6tables find the number of the ispmgr_limit_req6 src rule:
ip6tables -L INPUT --line-number
5. Delete the rule:
ip6tables -D INPUT <rule number>
6. Delete the rules from ipset:
ipset destroy ispmgr_limit_req
ipset destroy ispmgr_limit_req6
7. Update the firewall rules in ispmanager:
/usr/local/mgr5/sbin/mgrctl -m ispmgr firewall