Nginx is not able to withstand with pwnloris DoS attack (CVE-2007-6750 and CVE-2012-5568)

[shwetajadhav2010@…]

We use nginx in our product.
We used pwnloris script for CVE-2007-6750 and CVE-2012-5568 with nginx/web server as a target.

Pwnloris script downloaded from here: ​https://github.com/h0ussni/pwnloris.
After running pwnloris script, nginx/web server went down and we are not able to access web server from any client/user.

[Maxim Dounin]

To protect from DoS attacks, consider configuring nginx appropriately. In particular, Slowloris-type attacks can be effectively mitigated by:

• Configuring nginx to be able to handle more connections, specifically with more ​worker_connections and larger number of ​worker_processes. Note that this might also require OS tuning.
• Configuring smaller client-related timeouts, notably ​client_header_timeout, ​client_body_timeout, ​send_timeout.

Additionally, you might also consider:

• Limiting request rates with ​limit_req.
• Limiting number of connections with active requests with ​limit_conn.
• Using ​reset_timedout_connection to ensure faster closing of connections with misbehaving clients.
• Configuration limits on the number of open connections externally to nginx (e.g., on your firewall).

Hope this helps.

[shwetajadhav2010@…]

Can these settings cause any performance hamper? If yes, small or big?
Can you please share all the known attacks & corresponding nginx settings for them?

[shwetajadhav2010@…]

Can these settings cause any performance hamper? If yes, small or big?
Can you please share all the known attacks & corresponding nginx settings for them?

[Maxim Dounin]

If you need help with configuring nginx, please use ​support options available.

[shwetajadhav2010@…]

As per the suggestions, we have tried nginx directives but still we are able to reproduce DoS attack (Script used for DoS attack: ​https://github.com/h0ussni/pwnloris)

Below are the settings which we have implemented and tested:

# Set a limit for the number of connections from a single IP
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_conn conn_limit_per_ip 20;

# Set a limit for the number of connections in total
limit_conn_zone $server_name zone=conn_limit_total:10m;
limit_conn conn_limit_total 100;

# Limit the number of simultaneous connections from a single IP
# Note: In HTTP/2 and HTTP/3, each concurrent request is considered a separate connection.
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=30r/s;
limit_req zone=req_limit_per_ip burst=50 nodelay;

# Set a timeout for entire client connection
keepalive_timeout 65;

# To save from Slowloris set small timeout
client_body_timeout 10s;
client_header_timeout 10s;

# enables resetting timed out connections and connections closed with the non-standard code 444
reset_timedout_connection on


events {

# try with both multiple accept on and off
# multi_accept on;
worker_connections 1024;

}

Kindly provide solution for this issue.

[Maxim Dounin]

The particular script creates requests with incomplete headers. As such, the client_header_timeout apply. More advanced limits, such as limit_req and limit_conn, won't work for the particular attack, as they only limit requests with fully read headers.

With worker_connections 1024;, client_header_timeout 10s;, and just one worker process (which is the default), it would be possible to DoS nginx as long as the client is able to open at least 1024 connections in total, and is able to open 100 new connections per second. As such, to withstand the particular DoS, you should increase worker_connections, and/or reduce client_header_timeout, and/or add more worker processes, and/or introduce external connection limits (either on total number of connections or on connection establishment rate).

As previously suggested, if you need help with configuring nginx, please use ​​support options available.

[Maxim Dounin]

Please avoid reopening tickets without providing an explanation why you are doing it. Thank you.