'$ host: $ server_port "$ request" $ status $ body_bytes_sent' Log_format timed '$ remote_addr - $ remote_user ' For the convenience of analysis, you need to add the $ request_time parameter to the nginx log format (sorry, I don’t have an option with apache), and log requests to the application server in a separate file: In fact, not only DDoS attacks can lead to site failure, but also other reasons associated with mistakes by developers and system administrators. It is these requests that become targets for attacks, since, unlike static requests, application servers when generating dynamic content require several orders of magnitude more limited system resources, which is what attackers use.Īs trite as it sounds, in order to defend against an attack, it must first be identified.
The web server (nginx, apache, etc.), as a rule, independently provides static files (images, styles, scripts), and proxies requests for dynamic content to the application server (php-fpm, nodejs, etc.) ). But we, from a practical point of view, need to separate these two cases. From a network protocol perspective, both are application layer attacks. Layer 7 attacks on sites include attacks on the web server layer (nginx, apache, etc.) and attacks on the application server layer (php-fpm, nodejs, etc.), which is usually located behind the proxy server (nginx, apache, etc.). How this happens, and how you can protect yourself from it, I will consider in this post. Unlike attacks at other tiers, where a powerful stream of network traffic must be set up to fail a site, attacks at tier 7 can proceed without exceeding the normal level of network traffic. Layer 7 DDoS attacks (application layer) are the easiest way to disable a website and harm your business.