NGINX Rate Limiting

superman2727

Well-known member
Joined
Apr 24, 2018
Messages
227
Best answers
0
Ratings
9
Points
18
#1
How NGINX rate limiting works? Is rate limiting can use in security purposes? I wonder if it can protect against DDoS attacks? How they do that? I don't exactly know how this rate limiting works and i've wanted to know did this configures itself just to protect from attackers. Is this only for security or there are another uses of it?
 

VirtuBox

Global Mod
Staff Member
Joined
May 3, 2016
Messages
1,500
Best answers
4
Ratings
380 10
Points
83
#2
Rate limiting is useful to avoid bruteforce or to mitigate DoS attacks. Here some examples of nginx rate limiter configuration

DoS Mitigation
Bash:
    #Simple DOS mitigation
    ##Max c/s by ip
    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
    limit_conn limit_per_ip 80;

    ##Max rq/s by ip
    limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
    limit_req zone=allips burst=400 nodelay;
Avoid bruteforce on wp-login.php page :
Bash:
    ## limit requests 1/second
    limit_req_status 403;
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

location = /wp-login.php {
  limit_req zone=one burst=1 nodelay;
  include fastcgi_params;
  fastcgi_pass php;
}
 

superman2727

Well-known member
Joined
Apr 24, 2018
Messages
227
Best answers
0
Ratings
9
Points
18
#3
superman2727
So the main role of Rate Limits is to mitigate DDoS attacks? It is more focused on security breaches and avoidance of online attackers? Am i saying it right?
 

VirtuBox

Global Mod
Staff Member
Joined
May 3, 2016
Messages
1,500
Best answers
4
Ratings
380 10
Points
83
#4
VirtuBox
It can be used to mitigate DoS (Denial of Service attack ) , not DDoS (Distributed Denial of Service attack) because in most of case DDoS isn't only flooding the web server, so nginx cannot protect anything.
There are a lot of other possible usage of Nginx rate limiting , but bruteforce protection and DoS mitigation are probably the most used.
But it doesn't protect against security breaches, it limit only the ability to use basic attack like bruteforce.
 

superman2727

Well-known member
Joined
Apr 24, 2018
Messages
227
Best answers
0
Ratings
9
Points
18
#5
superman2727
Oops, I find it wrong. I thought you are saying that rate limiting is all about mitigating DDoS. Now I'm getting into it. NGINX rate limiting is focus more on DoS and bruteforce but it doesn't fully stop the attack from bruteforce. Cheers!
 
Newer Threads
Replies
2
Views
134
Replies
9
Views
167
Replies
22
Views
488
Replies
4
Views
95
Latest Threads
Replies
0
Views
16
Replies
0
Views
1
Replies
2
Views
25
Replies
2
Views
41
Recommended Threads
Replies
0
Views
760
Replies
4
Views
1,014
Replies
11
Views
2,400
Similar Threads

Latest postsNew threads

Latest Hosting OffersNew Reviews

Sponsors

Latest Blog ArticlesMost Viewed Threads

Top