IP Behavior

From SEnginx
Jump to: navigation, search

Contents

IP Behavior Module

Synopsis

The IP behavior module is used to monitor users' access behavior to a server. This feature is mainly used with other security features such as conditional limit_req and robot mitigation, thus SEnginx could detect and take actions against L7 DDoS attacks or scanning.
At current stage, this feature only supports senetive URL access detection, other access behavior detection will be implemented in the future.

This feature is availiable since version 1.5.10.

Directives

ip_behavior_zone

Syntax ip_behavior_zone zone=name:size sample_base=times sample_cycle=cycle;
Default
Context http

Defining an IP behavior zone, you need to specify 3 parameters:

  • zone=name:size, name is zone's name, size means how much memory this zone will use, unit is in m, k, etc;
  • sample_base=times, specifies the number of the request for a valid sample, times must be unsigned integer;
  • sample_cycle=cycle, specifies the cyclog of the sampling, unit could be s (for second) and m (for minute).


Example:

ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=2s;

This defines a 10MB size zone, sample cycle is two seconds and the miminum valid request number is 10.


ip_behavior

Syntax ip_behavior zone=name type=type;
Default
Context server

Enable an IP behavior zone in a server, this directive takes 3 parameters:

  • name, spcifies what zone to use;
  • type, spcified the mode, currently only sensitive_url is supported.


Example:

server {
    ip_behavior zone=abc type=sensitive_url;
}

Enable zone abc on a server and set the mode to sensitive url accessing behavior detecting.

ip_behavior_sensitive

Syntax ip_behavior_sensitive;
Default
Context location

Specifies sensitive locations. If a location is defined as a sensitive location, all the resources under this location will be treated as sensitive.
Example:

server {
    location ~* .*\.php {
        ip_behavior_sensitive;
        
        ...
    }
}

Set php files as sensitve resources, because the php files are easy to suffer a L7 DDoS attack.

Variables

$insensitive_percent

Returens the percent of a IP address accessing sensitive resources from all resources, could be used in ifany, ifall and if direvtive. Usually used in conditional limit_req module's condition parameter. For example:

ifall ($insensitive_url >= 0) ($insensitive_url < 30) {
    set $cond 1;
}

Confiuration Example

Work with conditional limit_req module

http {
    ...
    limit_req_zone $binary_remote_addr zone=cc:10m rate=1r/s;
    ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=2s;
    ...

    server {
         ...
         ip_behavior zone=abc type=sensitive_url;
         ...

         location ~ /.*\.php {
             limit_req zone=cc burst=1 condition=$cond;         
             ip_behavior_sensitive;

             ifall ($insensitive_percent >= 0) ($insensitive_percent < 5) {
                 set $cond 1;
             }

             fastcgi_pass 127.0.0.1:9000;
             ...
         }

         location / {
             root html/;
         }
    }
}

Only the IP address that access lots of sensitive resources would be limited speed.

Work with robot mitigation module

http {
    ...
    ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=2s;
    ...

    server {
         ...
         ip_behavior zone=abc type=sensitive_url;
         ...

         location ~ /.*\.php {
             ip_behavior_sensitive;

             ifall ($insensitive_percent >= 0) ($insensitive_percent < 5) {
                 return 599;
             }

             fastcgi_pass 127.0.0.1:9000;
             ...
         }

         location @process {
            ns_layer_force_run;

            robot_mitigation on;
            robot_mitigation_blacklist 10;

            fastcgi_pass 127.0.0.1:9000;
            ...
         }

         error_page 599 = @process;
    }
}

Chanllege the IP address which accesses lots of sensitive URLs in a short time and will be added to IP balcklist if fails the chanllenge for 10 times.

Work with conditional limit_req and robot mitigation module

http {
    ...

    limit_req_zone $binary_remote_addr zone=cc:10m rate=5r/s;
    limit_req_zone $binary_remote_addr zone=total:10m rate=30r/s;
    ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=1s;

    server {
        ...
        ip_behavior zone=abc type=sensitive_url;
        
        location / {
            root  html/;
        }


        ...


        location ~* .*\.php {
            limit_req zone=cc burst=1 forbid_action=@process condition=$cond;
            limit_req zone=total burst=5;


            ip_behavior_sensitive;


            ifall ($insensitive_percent >= 0) ($insensitive_percent < 30) {
                set $cond 1;
            }


            fastcgi_pass  127.0.0.1:9000;
            ...
	}


        location @process {
            ns_layer_force_run;
	    
            robot_mitigation on;
            robot_mitigation_mode js;

            fastcgi_pass  127.0.0.1:9000;
            ...
        }
    }
}

Chanllege IP address by using limit_req's forbid_action.

Personal tools
Namespaces

Variants
Actions
Navigation
In other languages
Toolbox