IP Behavior
Contents |
IP Behavior Module
Synopsis
The IP behavior module is used to monitor users' access behavior to a server. This feature is mainly used with other security features such as conditional limit_req and robot mitigation, thus SEnginx could detect and take actions against L7 DDoS attacks or scanning.
At current stage, this feature only supports senetive URL access detection, other access behavior detection will be implemented in the future.
This feature is availiable since version 1.5.10.
Directives
ip_behavior_zone
| Syntax | ip_behavior_zone zone=name:size sample_base=times sample_cycle=cycle; |
| Default | |
| Context | http |
Defining an IP behavior zone, you need to specify 3 parameters:
- zone=name:size, name is zone's name, size means how much memory this zone will use, unit is in m, k, etc;
- sample_base=times, specifies the number of the request for a valid sample, times must be unsigned integer;
- sample_cycle=cycle, specifies the cyclog of the sampling, unit could be s (for second) and m (for minute).
Example:
ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=2s;
This defines a 10MB size zone, sample cycle is two seconds and the miminum valid request number is 10.
ip_behavior
| Syntax | ip_behavior zone=name type=type; |
| Default | |
| Context | server |
Enable an IP behavior zone in a server, this directive takes 3 parameters:
- name, spcifies what zone to use;
- type, spcified the mode, currently only sensitive_url is supported.
Example:
server {
ip_behavior zone=abc type=sensitive_url;
}
Enable zone abc on a server and set the mode to sensitive url accessing behavior detecting.
ip_behavior_sensitive
| Syntax | ip_behavior_sensitive; |
| Default | |
| Context | location |
Specifies sensitive locations. If a location is defined as a sensitive location, all the resources under this location will be treated as sensitive.
Example:
server {
location ~* .*\.php {
ip_behavior_sensitive;
...
}
}
Set php files as sensitve resources, because the php files are easy to suffer a L7 DDoS attack.
Variables
$insensitive_percent
Returens the percent of a IP address accessing sensitive resources from all resources, could be used in ifany, ifall and if direvtive. Usually used in conditional limit_req module's condition parameter. For example:
ifall ($insensitive_url >= 0) ($insensitive_url < 30) {
set $cond 1;
}
Confiuration Example
Work with conditional limit_req module
http {
...
limit_req_zone $binary_remote_addr zone=cc:10m rate=1r/s;
ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=2s;
...
server {
...
ip_behavior zone=abc type=sensitive_url;
...
location ~ /.*\.php {
limit_req zone=cc burst=1 condition=$cond;
ip_behavior_sensitive;
ifall ($insensitive_percent >= 0) ($insensitive_percent < 5) {
set $cond 1;
}
fastcgi_pass 127.0.0.1:9000;
...
}
location / {
root html/;
}
}
}
Only the IP address that access lots of sensitive resources would be limited speed.
Work with robot mitigation module
http {
...
ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=2s;
...
server {
...
ip_behavior zone=abc type=sensitive_url;
...
location ~ /.*\.php {
ip_behavior_sensitive;
ifall ($insensitive_percent >= 0) ($insensitive_percent < 5) {
return 599;
}
fastcgi_pass 127.0.0.1:9000;
...
}
location @process {
ns_layer_force_run;
robot_mitigation on;
robot_mitigation_blacklist 10;
fastcgi_pass 127.0.0.1:9000;
...
}
error_page 599 = @process;
}
}
Chanllege the IP address which accesses lots of sensitive URLs in a short time and will be added to IP balcklist if fails the chanllenge for 10 times.
Work with conditional limit_req and robot mitigation module
http {
...
limit_req_zone $binary_remote_addr zone=cc:10m rate=5r/s;
limit_req_zone $binary_remote_addr zone=total:10m rate=30r/s;
ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=1s;
server {
...
ip_behavior zone=abc type=sensitive_url;
location / {
root html/;
}
...
location ~* .*\.php {
limit_req zone=cc burst=1 forbid_action=@process condition=$cond;
limit_req zone=total burst=5;
ip_behavior_sensitive;
ifall ($insensitive_percent >= 0) ($insensitive_percent < 30) {
set $cond 1;
}
fastcgi_pass 127.0.0.1:9000;
...
}
location @process {
ns_layer_force_run;
robot_mitigation on;
robot_mitigation_mode js;
fastcgi_pass 127.0.0.1:9000;
...
}
}
}
Chanllege IP address by using limit_req's forbid_action.
