The server cannot complete the connection and the queue for connecting to it overflows. Errors occur, which are record in the system log. The beginning of a DDoS can be track by entries in log files. Pay attention to three indicators: traffic volume; server response time; number of errors. When using nginx, you ne to analyze the values in the request_time and upstream_response_time parameters. The “request” indicator reflects the time the server spent on executing the request, including delays in data transfer.
Upstream response” php fpm uwsgi, etc
Is the spe of request processing by the backend. The parameter is important when analyzing errors on sites with dynamic content and communication between the user part of the resource and the database. The log format can be represent by mom database the following config: log_format xakep_log ‘$remote_addr – $remote_user [$time_local] ‘ ‘”$request” $status $body_bytes_sent ‘ ‘”$http_referer” “$http_user_agent” $request_time \ $upstream_response_time’; The config has a combin format with add timing fields. #5. Set up timeouts in nginx The server may spend too much time processing each request from bots.
In order for the hosting machine
To be able to break the connection with a zombie network participant in time and move on to work with the next user, thereby freeing the connection queue from illegitimate traffic, it is necessary to set a time limit for processing one request. The what tools does the company already use? server spends the amount of time to solve each task in normal mode (when there is no traffic growth) that can be consider normal. If you set the correct timeouts in the nginx settings (the minimum time for which a legitimate request is process ), messages from the botnet will be filter out.
Nginx parameters that ne iting:
Reset_tim out_connection on frees the server from hanging sockets in the FIN-WAIT phase; client_header_timeout sets the time limit for reading headers in client messages; client_body_timeout – helps to set the natural material data time for reading the client request body; keepalive_timeout specifies the timeout during which the keep-alive connection with the client will not be clos by the server; send_timeout limits the time for transmitting a response to the client (the connection is broken if the client does not decide to connect.