如何防止web socket DDOS攻击? [英] How to prevent web socket DDOS attacks?

问题描述

我刚刚在我的电脑上执行了一个基本的 DDOS:

I just performed a basic DDOS from my computer:

websocket-bench -a 2500 -c 200 wss://s.example.com

令我沮丧的是我的服务器崩溃了！WS 通过连接到我的 nginx 代理来工作:

Which to my total dismay crashed my server! The WS works by connecting to my nginx proxy:

    location / {
            proxy_pass http://sock;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header        X-Real-IP               $remote_addr;
            proxy_read_timeout 60;
    }

    upstream sock {
            server 127.0.0.1:1203 fail_timeout=1s;
    }

和本地服务器上的 1203 端口是 ratchet.棘轮的设置是我允许任何连接，第一个 onMessage 执行身份验证，如果无效则关闭连接.

and locally on the server on port 1203 is ratchet. The setup for ratchet is that I allow any connection and the first onMessage performs authentication and if invalid the connection is closed.

我还尝试通过在第一个连接上传递标头来进行身份验证，如果无效则套接字关闭，但这根本没有帮助，nginx 仍然达到 100% 资源然后崩溃.

I also have tried authentication by passing headers on the first connection and if invalid the socket closes but this has not helped at all and nginx still reaches 100% resources and then crashes.

我应该分析什么来防止这些崩溃?

What should I be analysing to prevent these crashes?

当将上游更改为另一个关闭的端口(即禁用它)时，服务器仍然崩溃.

When changing the upstream to another closed port (i.e disabling it) the server still crashes.

推荐答案

要么更改您的身份验证逻辑以便 Nginx 处理它，要么实施 请求和连接限制 在 Nginx 中控制有多少连接被接受并传递给上游服务器

Either change your authentication logic so Nginx handles it, or implement request and connection limits within Nginx to control how many connections are accepted and passed to the upstream server

这篇关于如何防止web socket DDOS攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！