标签:
策略:
1)利用ngx_http_limit_req_module模块限制请求的速率和请求连接数
配置参照:http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone
2)利用ngx_http_limit_conn_module模块限制并发数
配置参照:http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#directives
给出配置如下:
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
listen 80;
server_name 210.10.5.102;
location / {
root html;
index index.html index.htm;
limit_req zone=one burst=5;
limit_conn addr 1;
}
}
}
其它的配置都省略,这里只讨论关注为了防DDOS设限点,
这里配置完毕以后产生对应几个限制,
每秒处理请求不超过1个(1r/s),
每次访问请求数不超过5个(burst=5),如果多于5个则按照503处理,
每次访问并发连接数只允许1个并发(addr 1),多于1个并发则按照503处理
3)基于这些配置完毕的策略进行测试(apache-ab):
3.1先测试下ab是否工作,
Server Software: BWS/1.1 Server Hostname: www.baidu.com Server Port: 80 Document Path: / Document Length: 96527 bytes Concurrency Level: 10 Time taken for tests: 1.952 seconds Complete requests: 20 Failed requests: 19 (Connect: 0, Length: 19, Exceptions: 0)
总共20个请求,每次10并发,失败19个,说明百度做了burst=1和addr 1的防御
3.2测试本地nginx:20个请求每次10并发,成功20个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /test.html/ Document Length: 168 bytes Concurrency Level: 10 Time taken for tests: 0.109 seconds Complete requests: 20 Failed requests: 0
3.2测试本地nginx:20个请求每次10并发,成功20个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /test.html/ Document Length: 168 bytes Concurrency Level: 10 Time taken for tests: 0.109 seconds Complete requests: 20 Failed requests: 0
3.2测试本地nginx:2000个请求每次1000并发,成功2000个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /test.html/ Document Length: 168 bytes Concurrency Level: 1000 Time taken for tests: 12.900 seconds Complete requests: 2000 Failed requests: 0
说明本地吞吐量极好,而且是全部吞吐了的。
3.2测试本地nginx:200个请求每次100并发,成功200个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 100 Time taken for tests: 0.983 seconds Complete requests: 200 Failed requests: 0 Non-2xx responses: 200
这次测试是jsp,通过反向代理,原来的静态html是直接从nginx服务器拿的。
3.2测试本地nginx:2000个请求每次1000并发,成功2000个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1000 Time taken for tests: 9.858 seconds Complete requests: 2000 Failed requests: 0 Non-2xx responses: 2000
说明不论是动静,都是能全部吞吐,效果非常好。
3.2测试本地nginx:200个请求10并发和1并发在处理时间上有没有差别
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 10 Time taken for tests: 1.001 seconds Complete requests: 200 Failed requests: 0 Non-2xx responses: 200
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1 Time taken for tests: 1.792 seconds Complete requests: 200 Failed requests: 0 Non-2xx responses: 200
1并发的时间大概是10并发的1.7倍,说明肯定是有差别的。
3.2加入策略每秒处理1个req,同时等待队列burst=5,测试本地nginx:10个请求每次1并发,成功10个,失败0个,但是耗时9s+
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_req zone=one burst=5;
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1 Time taken for tests: 9.014 seconds Complete requests: 10 Failed requests: 0 Non-2xx responses: 10
3.2加入策略每秒处理1个req,同时等待队列burst=5,测试本地nginx:10个请求每次6并发,成功6个,失败4个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 6 Time taken for tests: 5.019 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0)
这里推测可能是第一次并发6个失败了1个,第二次并发4个失败了3个,但是具体不确定。不过burst=5确实是生效了。
3.2加入策略每秒处理1个req,同时等待队列burst=5,测试本地nginx:10个请求每次5并发,成功10个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 5 Time taken for tests: 9.016 seconds Complete requests: 10 Failed requests: 0 Non-2xx responses: 10
全部成功的原因应该是burst=5,没超过队列,对比并发6的失败。
3.2加入策略每秒处理1个req,同时等待队列burst=5,测试本地nginx:20个请求每次7并发,成功6个,失败4个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 7 Time taken for tests: 5.009 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0) Non-2xx responses: 10
7并发跟6并发结果一样,都是失败4个,这里让我很费解。
3.2加入策略每秒处理1个req,同时等待队列burst=5,测试本地nginx:10个请求每次10并发,成功6个,失败4个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 10 Time taken for tests: 5.023 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0) Non-2xx responses: 10
10并发跟6并发结果一样,都是失败4个。
3.2加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发连接每次仅允许1并发,测试本地nginx:5个请求每次1并发,成功5个,失败0个,因为没有超出限制所以没有导致失败
limit_conn addr 1;
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1 Time taken for tests: 4.025 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
3.2加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发连接每次仅允许1并发,测试本地nginx:5个请求每次2并发,成功5个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 2 Time taken for tests: 4.012 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
这个结果不是预料的,因为每次2并发它都能处理了,这里比较费解,不过不管他继续测,后面再作解释。
3.2加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发连接每次仅允许1并发,测试本地nginx:5个请求每次5并发,成功2个,失败3个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 5 Time taken for tests: 4.010 seconds Complete requests: 5 Failed requests: 3 (Connect: 0, Length: 3, Exceptions: 0) Non-2xx responses: 5
这个结果说明,并发限制limit_conn addr 1是生效了的,不然不可能处理不了5并发。但是跟刚刚的处理2并发有矛盾,因为照理说它同样不可能处理2并发,不管他继续测。
3.2加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发连接每次仅允许1并发,测试本地nginx:5个请求每次3并发,成功5个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 3 Time taken for tests: 4.009 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
说明3并发也能处理。
3.2加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发连接每次仅允许1并发,测试本地nginx:5个请求每次4并发,成功5个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 4 Time taken for tests: 4.025 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
说明4并发也能处理。
3.2加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发连接每次仅允许1并发,测试本地nginx:10个请求每次4并发,成功6个,失败4个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 4 Time taken for tests: 13.057 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0) Non-2xx responses: 10
5请求4并发能处理,但是10请求4并发不能处理。绝对费解!不管它继续。
3.2加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发连接每次仅允许1并发,测试本地nginx:10个请求每次3并发,成功7个,失败3个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 3 Time taken for tests: 11.049 seconds Complete requests: 10 Failed requests: 3 (Connect: 0, Length: 3, Exceptions: 0) Non-2xx responses: 10
3.2加入策略每秒处理1个req,同时等待队列burst=5,且限制IP并发连接每次仅允许1并发,测试本地nginx:10个请求每次2并发,成功10个,失败0个
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 2 Time taken for tests: 9.001 seconds Complete requests: 10 Failed requests: 0 Non-2xx responses: 10
测到这里我不再继续了,我也看过别人测试的博客,也说不清楚是什么原因,总之跟预计划是不能完全匹配的,但是测试也不是没有意义,因为我们至少知道,我们配置策略以后会对访问进行一定的限制,因此在一定程度上能抵御DDOS的攻击。
标签:
原文地址:http://my.oschina.net/u/555061/blog/508652
