NGINX Rate Limiting

superman2727

Well-known member
Registered
Joined
Apr 24, 2018
Messages
227
Points
18
How NGINX rate limiting works? Is rate limiting can use in security purposes? I wonder if it can protect against DDoS attacks? How they do that? I don't exactly know how this rate limiting works and i've wanted to know did this configures itself just to protect from attackers. Is this only for security or there are another uses of it?
 

VirtuBox

Well-known member
Registered
Joined
May 3, 2016
Messages
1,622
Points
83
Rate limiting is useful to avoid bruteforce or to mitigate DoS attacks. Here some examples of nginx rate limiter configuration

DoS Mitigation
Bash:
    #Simple DOS mitigation
    ##Max c/s by ip
    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
    limit_conn limit_per_ip 80;

    ##Max rq/s by ip
    limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
    limit_req zone=allips burst=400 nodelay;
Avoid bruteforce on wp-login.php page :
Bash:
    ## limit requests 1/second
    limit_req_status 403;
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

location = /wp-login.php {
  limit_req zone=one burst=1 nodelay;
  include fastcgi_params;
  fastcgi_pass php;
}
 

superman2727

Well-known member
Registered
Joined
Apr 24, 2018
Messages
227
Points
18
superman2727
So the main role of Rate Limits is to mitigate DDoS attacks? It is more focused on security breaches and avoidance of online attackers? Am i saying it right?
 

VirtuBox

Well-known member
Registered
Joined
May 3, 2016
Messages
1,622
Points
83
VirtuBox
It can be used to mitigate DoS (Denial of Service attack ) , not DDoS (Distributed Denial of Service attack) because in most of case DDoS isn't only flooding the web server, so nginx cannot protect anything.
There are a lot of other possible usage of Nginx rate limiting , but bruteforce protection and DoS mitigation are probably the most used.
But it doesn't protect against security breaches, it limit only the ability to use basic attack like bruteforce.
 

superman2727

Well-known member
Registered
Joined
Apr 24, 2018
Messages
227
Points
18
superman2727
Oops, I find it wrong. I thought you are saying that rate limiting is all about mitigating DDoS. Now I'm getting into it. NGINX rate limiting is focus more on DoS and bruteforce but it doesn't fully stop the attack from bruteforce. Cheers!
 
Older Threads
Replies
6
Views
4,008
Replies
0
Views
1,554
Replies
31
Views
13,353
Newer Threads
Replies
2
Views
1,512
Replies
52
Views
12,695
Replies
22
Views
10,514
Replies
4
Views
1,879
Latest Threads
Replies
1
Views
24
Replies
0
Views
176
Replies
1
Views
37
Replies
2
Views
81

Latest postsNew threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top