NGINX Rate Limiting

superman2727

Well-known member
Joined
Apr 24, 2018
Messages
227
Best answers
0
Ratings
9
Points
18
#1
How NGINX rate limiting works? Is rate limiting can use in security purposes? I wonder if it can protect against DDoS attacks? How they do that? I don't exactly know how this rate limiting works and i've wanted to know did this configures itself just to protect from attackers. Is this only for security or there are another uses of it?
 

VirtuBox

Global Mod
Staff Member
Joined
May 3, 2016
Messages
1,551
Best answers
4
Ratings
412 13
Points
83
#2
Rate limiting is useful to avoid bruteforce or to mitigate DoS attacks. Here some examples of nginx rate limiter configuration

DoS Mitigation
Bash:
    #Simple DOS mitigation
    ##Max c/s by ip
    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
    limit_conn limit_per_ip 80;

    ##Max rq/s by ip
    limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
    limit_req zone=allips burst=400 nodelay;
Avoid bruteforce on wp-login.php page :
Bash:
    ## limit requests 1/second
    limit_req_status 403;
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

location = /wp-login.php {
  limit_req zone=one burst=1 nodelay;
  include fastcgi_params;
  fastcgi_pass php;
}
 

superman2727

Well-known member
Joined
Apr 24, 2018
Messages
227
Best answers
0
Ratings
9
Points
18
#3
superman2727
So the main role of Rate Limits is to mitigate DDoS attacks? It is more focused on security breaches and avoidance of online attackers? Am i saying it right?
 

VirtuBox

Global Mod
Staff Member
Joined
May 3, 2016
Messages
1,551
Best answers
4
Ratings
412 13
Points
83
#4
VirtuBox
It can be used to mitigate DoS (Denial of Service attack ) , not DDoS (Distributed Denial of Service attack) because in most of case DDoS isn't only flooding the web server, so nginx cannot protect anything.
There are a lot of other possible usage of Nginx rate limiting , but bruteforce protection and DoS mitigation are probably the most used.
But it doesn't protect against security breaches, it limit only the ability to use basic attack like bruteforce.
 

superman2727

Well-known member
Joined
Apr 24, 2018
Messages
227
Best answers
0
Ratings
9
Points
18
#5
superman2727
Oops, I find it wrong. I thought you are saying that rate limiting is all about mitigating DDoS. Now I'm getting into it. NGINX rate limiting is focus more on DoS and bruteforce but it doesn't fully stop the attack from bruteforce. Cheers!
 
Newer Threads
Replies
2
Views
239
Replies
9
Views
256
Replies
22
Views
890
Replies
4
Views
170

Latest Hosting OffersNew Reviews

Sponsors

Latest Blog ArticlesMost Viewed Threads

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top