策略:html
1)利用ngx_http_limit_req_module模塊限制請求的速率和請求鏈接數node
配置參照:http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone nginx
2)利用ngx_http_limit_conn_module模塊限制併發數shell
配置參照:http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#directives apache
3)更多策略參考官方文檔服務器
給出配置以下:jsp
http { limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_conn_zone $binary_remote_addr zone=addr:10m; server { listen 80; server_name 210.10.5.102; location / { root html; index index.html index.htm; limit_req zone=one burst=5; limit_conn addr 1; } } }
其它的配置都省略,這裏只討論關注爲了防DDOS的設限點,測試
這裏解釋下10m,是指空間容量,官方的對1m的概念解釋是能容納1萬6的會話狀態,若是超出16萬的會話狀態則新的請求會按照503處理(One megabyte zone can keep about 16 thousand 64-byte states. If the zone storage is exhausted, the server will return the 503 (Service Temporarily Unavailable) error to all further requests.)spa
關於burst官方還有一句話,
Excessive requests are delayed until their number exceeds the maximum burst size in which case the request is terminated with an error 503 (Service Temporarily Unavailable). By default, the maximum burst size is equal to zero.
If delaying of excessive requests while requests are being limited is not desired, the parameternodelay
should be used:
limit_req zone=one burst=5 nodelay;
這裏就有一種理解:burst雖然是堆棧的size,可是堆棧就算是滿了那麼nginx還給一次delay的機會,這個delay沒有說是多少ms,若是配置策略不想給這個「機會」,那麼就多配置一個nodelay,只要棧溢出則當即503。不知道這麼理解是否正確,若是有問題,但願高人指正!
配置完畢之後產生對應幾個限制,
每秒處理請求不超過1個(1r/s),
每次訪問請求數不超過5個(burst=5),若是多於5個則按照503處理,
每次訪問併發鏈接數只容許1個併發(addr 1),多於1個併發則按照503處理
3)基於這些配置完畢的策略進行測試(apache-ab):
3.1測試的開始,我尚未加入策略,使用的仍是默認的nginx.conf.default,先測試下ab是否工做,而後逐步加入策略,
Server Software: BWS/1.1 Server Hostname: www.baidu.com Server Port: 80 Document Path: / Document Length: 96527 bytes Concurrency Level: 10 Time taken for tests: 1.952 seconds Complete requests: 20 Failed requests: 19 (Connect: 0, Length: 19, Exceptions: 0)
總共20個請求,每次10併發,失敗19個,說明百度作了burst=1和addr 1的防護,百度的防護作得PL!
3.2測試本地nginx:20個請求每次10併發,成功20個,失敗0個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /test.html/ Document Length: 168 bytes Concurrency Level: 10 Time taken for tests: 0.109 seconds Complete requests: 20 Failed requests: 0
3.3測試本地nginx:2000個請求每次1000併發,成功2000個,失敗0個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /test.html/ Document Length: 168 bytes Concurrency Level: 1000 Time taken for tests: 12.900 seconds Complete requests: 2000 Failed requests: 0
說明本地吞吐量極好,並且是所有吞吐了的。
3.4測試本地nginx:200個請求每次100併發,成功200個,失敗0個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 100 Time taken for tests: 0.983 seconds Complete requests: 200 Failed requests: 0 Non-2xx responses: 200
此次測試是jsp,經過反向代理,原來的靜態html是直接從nginx服務器拿的。
3.5測試本地nginx:2000個請求每次1000併發,成功2000個,失敗0個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1000 Time taken for tests: 9.858 seconds Complete requests: 2000 Failed requests: 0 Non-2xx responses: 2000
說明不管是動靜,都是能所有吞吐,效果很是好。
3.6測試本地nginx:200個請求10併發和1併發在處理時間上有沒有差異?
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 10 Time taken for tests: 1.001 seconds Complete requests: 200 Failed requests: 0 Non-2xx responses: 200
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1 Time taken for tests: 1.792 seconds Complete requests: 200 Failed requests: 0 Non-2xx responses: 200
1併發的時間大概是10併發的1.7倍,說明確定是有差異的。
3.7加入策略每秒處理1個req,同時等待隊列burst=5,測試本地nginx:10個請求每次1併發,成功10個,失敗0個,可是耗時9s+
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_req zone=one burst=5;
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1 Time taken for tests: 9.014 seconds Complete requests: 10 Failed requests: 0 Non-2xx responses: 10
3.8加入策略每秒處理1個req,同時等待隊列burst=5,測試本地nginx:10個請求每次6併發,成功6個,失敗4個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 6 Time taken for tests: 5.019 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0)
burst=5是生效了。否則原來6併發是不會失敗的。
3.9加入策略每秒處理1個req,同時等待隊列burst=5,測試本地nginx:10個請求每次5併發,成功10個,失敗0個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 5 Time taken for tests: 9.016 seconds Complete requests: 10 Failed requests: 0 Non-2xx responses: 10
所有成功的緣由應該是burst=5,沒超過隊列,對比並發6的失敗。
3.10加入策略每秒處理1個req,同時等待隊列burst=5,測試本地nginx:20個請求每次7併發,成功6個,失敗4個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 7 Time taken for tests: 5.009 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0) Non-2xx responses: 10
7併發跟6併發結果同樣,都是失敗4個,結果讓人費解。
3.11加入策略每秒處理1個req,同時等待隊列burst=5,測試本地nginx:10個請求每次10併發,成功6個,失敗4個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 10 Time taken for tests: 5.023 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0) Non-2xx responses: 10
10併發跟6併發、7併發結果同樣,都是失敗4個。
3.12加入策略每秒處理1個req,同時等待隊列burst=5,且限制IP併發鏈接每次僅容許1併發,測試本地nginx:5個請求每次1併發,成功5個,失敗0個,由於沒有超出限制因此沒有致使失敗
limit_conn addr 1;
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 1 Time taken for tests: 4.025 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
3.13加入策略每秒處理1個req,同時等待隊列burst=5,且限制IP併發鏈接每次僅容許1併發,測試本地nginx:5個請求每次2併發,成功5個,失敗0個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 2 Time taken for tests: 4.012 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
這個結果不是預料的,照理說2併發它是不能能處理的,這裏比較費解,不過無論他繼續測。
3.14加入策略每秒處理1個req,同時等待隊列burst=5,且限制IP併發鏈接每次僅容許1併發,測試本地nginx:5個請求每次5併發,成功2個,失敗3個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 5 Time taken for tests: 4.010 seconds Complete requests: 5 Failed requests: 3 (Connect: 0, Length: 3, Exceptions: 0) Non-2xx responses: 5
這個結果說明,併發限制limit_conn addr 1是生效了的,否則不可能處理不了5併發。可是跟剛剛的處理2併發有矛盾,由於照理說它一樣不可能處理2併發,無論他繼續測。
3.15加入策略每秒處理1個req,同時等待隊列burst=5,且限制IP併發鏈接每次僅容許1併發,測試本地nginx:5個請求每次3併發,成功5個,失敗0個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 3 Time taken for tests: 4.009 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
說明3併發也能處理。
3.16加入策略每秒處理1個req,同時等待隊列burst=5,且限制IP併發鏈接每次僅容許1併發,測試本地nginx:5個請求每次4併發,成功5個,失敗0個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 4 Time taken for tests: 4.025 seconds Complete requests: 5 Failed requests: 0 Non-2xx responses: 5
說明4併發也能處理。
3.17加入策略每秒處理1個req,同時等待隊列burst=5,且限制IP併發鏈接每次僅容許1併發,測試本地nginx:10個請求每次4併發,成功6個,失敗4個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 4 Time taken for tests: 13.057 seconds Complete requests: 10 Failed requests: 4 (Connect: 0, Length: 4, Exceptions: 0) Non-2xx responses: 10
5請求4併發能處理,可是10請求4併發不能處理?不懂。估計得研究官方文檔,常規思路是理解不了。無論它繼續。
3.18加入策略每秒處理1個req,同時等待隊列burst=5,且限制IP併發鏈接每次僅容許1併發,測試本地nginx:10個請求每次3併發,成功7個,失敗3個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 3 Time taken for tests: 11.049 seconds Complete requests: 10 Failed requests: 3 (Connect: 0, Length: 3, Exceptions: 0) Non-2xx responses: 10
10請求3併發失敗3個,4併發失敗4個。
3.19加入策略每秒處理1個req,同時等待隊列burst=5,且限制IP併發鏈接每次僅容許1併發,測試本地nginx:10個請求每次2併發,成功10個,失敗0個
Server Software: nginx/1.2.6 Server Hostname: 210.10.5.189 Server Port: 80 Document Path: /index.jsp/ Document Length: 168 bytes Concurrency Level: 2 Time taken for tests: 9.001 seconds Complete requests: 10 Failed requests: 0 Non-2xx responses: 10
10請求3併發失敗3個,4併發失敗4個。2併發不失敗。測到這裏我再也不繼續了,我也看過別人測試的博客,也說不清楚是什麼緣由,總之跟預計劃是不能徹底匹配的,可是測試也不是沒有意義,至少配置策略之後會對訪問進行必定的限制,所以在必定程度上能抵禦DDOS的攻擊。