You can set up a DDoS-protection tool that allows blocking IP addresses that send too many requests. Enabling protection is only available if the Nginx or OpenLiteSpeed web server is installed. Nginx completely blocks access to the server from the IP address, while OpenLiteSpeed limits bandwidth for the IP address. For more information please refer to the article Install a web-server.

Enabe DDoS-protection


To enable the DDoS protection tool, open the WWW-domain edit form, select the Enable DDoS protection checkbox and specify its parameters:

  • Nginx:
    1. Number of Requests per second from one IP address — if this parameter is exceeded, the IP address is blocked for 5 minutes.
    2. Maximum peak attack size — the number of requests per second above which new requests are blocked.
  • OpenLiteSpeed:
    1. Number of Requests per second from one IP address — if this parameter is exceeded, the bandwidth for the IP address is limited.
    2. Bandwidth, bytes/sec — the bandwidth for the IP address. The actual throughput may be slightly higher than this setting. The value will be rounded in 4 Kb increments. To not limit the speed, enter 0.

For more information please refer to the article Create a WWW-domain.

Technical details for Nginx


The ngx_http_limit_req_module module allows limiting the rate of requests by the specified key or requests from a certain IP address.

How it works 

The module creates a zone for every domain and specifies the maximum peak attack size (burst). Extra requests are delayed until their number exceed the maximum peak. The request is terminated with error 503 (Service Temporarily Unavailable). 

The settings are added into  <path to the Nginx directory>/conf.d/isplimitreq.conf:

Nginx configuration file

limit_req_zone $binary_remote_addr zone=<WWW-domain name>:<zone size> rate=<requests per second>r/s
BASH
Comments

The zone size is calculated as follows:

Formula for calculating zone size

<requests per second> * 64k
CODE

E.g., if the requests per second is 500, the zone size is 500 * 64k, i.e. 32000k.

In  <path to the Nginx directory>/vhosts-resources/<domain name>:

Nginx configuration file

limit_req zone=<WWW-domain name> burst=<Maximum peak attack size>;
error_page 503 =429 @blacklist;
BASH
Details

@blacklist — location for the redirect in case of error 503 (if the maximum number of requests from a certain IP address has been exceeded).

The location @blacklist section is created in  <path to the Nginx directory>/vhosts-includes/blacklist-nginx.conf with the following contents:

Nginx configuration file

location @blacklist {
proxy_redirect off ;
proxy_pass https://<IP address>:<port>;
rewrite (.*) /mancgi/ddos break;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X_ISP_FIREWALLSEC <key for ISPmanager>;
BASH

IP address blocking 

If the request limit is exceeded: 

  1.  The IP address that receives requests is sent to the /mancgi/ddos script. The script blocks the IP for 5 minutes. 
  2. The system blocks IP addresses using iptables for IPv4, ip6tables fro IPv6, and ipset.

Note: ipset is not available on OpenVZ. Therefor, you can use only tools provided by Nginx

The following rule is created in iptables

DROP       all  --  anywhere             anywhere            match-set ispmgr_limit_req src 

The following rule is created in ip6tables:

ip6tables

DROP       all  --  anywhere             anywhere            match-set ispmgr_limit_req6 src 
BASH


ispmgr_limit_req and ispmgr_limit_req6 with the following parameters are added into ipset  hash:ip (IP address) and timeout 300 (block time is seconds).

The following record is added into the /usr/local/mgr5/var/ddos.log log:

Block log

WARNING Address (<IP address>) is blacklisted
BASH

Execute the command to check the list contents:

ipset -L ispmgr_limit_req
BASH

The "Members" filed of the command output will show blacklisted IPs and the time until unblocking.

Edit the block period

To change the block period, perform the following steps:

1. Add the following parameter to the ISPmanager configuration file (the default location is  /usr/local/mgr5/etc/ispmgr.conf):

ISPmanager configuration file

isp_limitreq_timeout <block period in seconds>
BASH

2. In iptables find the number of the ispmgr_limit_req src rule:

iptables -L INPUT --line-numbers

3. Delete the rule:

iptables -D INPUT <rule number>
BASH

4. In ip6tables find the number of the ispmgr_limit_req6 src rule:

ip6tables -L INPUT --line-number
BASH

5. Delete the rule: 

ip6tables -D INPUT <rule number>
BASH

6. Delete the rules from ipset:

ipset destroy ispmgr_limit_req
ipset destroy ispmgr_limit_req6

7. Update the firewall rules in ISPmanager:

/usr/local/mgr5/sbin/mgrctl -m ispmgr firewall
BASH