IP Behavior

Contents

IP Behavior Module

Synopsis

The IP behavior module is used to monitor users' access behavior to a server. This feature is mainly used with other security features such as conditional limit_req and robot mitigation, thus SEnginx could detect and take actions against L7 DDoS attacks or scanning.
At current stage, this feature only supports sensitive URL access detection, other access behavior detection will be implemented in the future.

This feature is availiable since version 1.5.10.

Directives

ip_behavior_zone

Syntax ip_behavior_zone zone=name:size sample_base=times sample_cycle=cycle;
Default
Context http

Defining an IP behavior zone, you need to specify 3 parameters:

  • zone=name:size, name is zone's name, size means how much memory this zone will use, unit is in m, k, etc;
  • sample_base=times, specifies the number of the request for a valid sample, times must be unsigned integer;
  • sample_cycle=cycle, specifies the cyclog of the sampling, unit could be s (for second) and m (for minute).

The number of the requests for a valid sample_base is calculated until the time interval between current and previous request is less than sample_cycle. The number of the requests is calculated anew if the time interval between current and previous request is over sample_cycle.
Example:

ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=2s;

This defines a 10MB size zone, sample cycle is two seconds and the miminum valid request number is 10.


ip_behavior

Syntax ip_behavior zone=name type=type;
Default
Context server

Enable an IP behavior zone in a server, this directive takes 3 parameters:

  • name, specifies what zone to use;
  • type, specified the mode, currently only sensitive_url is supported.


Example:

server {
    ip_behavior zone=abc type=sensitive_url;
}

Enable zone abc on a server and set the mode to sensitive url accessing behavior detecting.

ip_behavior_sensitive

Syntax ip_behavior_sensitive;
Default
Context location

Specifies sensitive locations. If a location is defined as a sensitive location, all the resources under this location will be treated as sensitive.
Example:

server {
    location ~* .*\.php {
        ip_behavior_sensitive;
        
        ...
    }
}

Set php files as sensitve resources, because the php files are easy to suffer a L7 DDoS attack.

Variables

$insensitive_percent

The percent of the requests for insensitive resources from all requests. The value is calculated for each IP address, could be used in ifany, ifall and if directives. Usually it used to set limit_req module's condition parameter.
Note: $insensitive_percent is equal to -1 if there are no minimum request number (sample_base) reached (see ip_behavior_zone).
For example:

ifall ($insensitive_percent >= 0) ($insensitive_percent < 30) {
    set $cond 1;
}

Configuration Example

Work with conditional limit_req module

http {
    ...
    limit_req_zone $binary_remote_addr zone=cc:10m rate=1r/s;
    ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=2s;
    ...

    server {
         ...
         ip_behavior zone=abc type=sensitive_url;
         ...

         location ~ /.*\.php {
             limit_req zone=cc burst=1 condition=$cond;         
             ip_behavior_sensitive;

             ifall ($insensitive_percent >= 0) ($insensitive_percent < 5) {
                 set $cond 1;
             }

             fastcgi_pass 127.0.0.1:9000;
             ...
         }

         location / {
             root html/;
         }
    }
}

Only the IP address that access lots of sensitive resources would be limited speed.

Work with robot mitigation module

http {
    ...
    ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=2s;
    ...

    server {
         ...
         ip_behavior zone=abc type=sensitive_url;
         ...

         location ~ /.*\.php {
             ip_behavior_sensitive;

             ifall ($insensitive_percent >= 0) ($insensitive_percent < 5) {
                 return 599;
             }

             fastcgi_pass 127.0.0.1:9000;
             ...
         }

         location @process {
            ns_layer_force_run;

            robot_mitigation on;
            robot_mitigation_blacklist 10;

            fastcgi_pass 127.0.0.1:9000;
            ...
         }

         error_page 599 = @process;
    }
}

Challenge the IP address which accesses lots of sensitive URLs in a short time and will be added to IP blacklist if fails the chanllenge for 10 times.

Work with conditional limit_req and robot mitigation module

http {
    ...

    limit_req_zone $binary_remote_addr zone=cc:10m rate=5r/s;
    limit_req_zone $binary_remote_addr zone=total:10m rate=30r/s;
    ip_behavior_zone zone=abc:10m sample_base=10 sample_cycle=1s;

    server {
        ...
        ip_behavior zone=abc type=sensitive_url;
        
        location / {
            root  html/;
        }


        ...


        location ~* .*\.php {
            limit_req zone=cc burst=1 forbid_action=@process condition=$cond;
            limit_req zone=total burst=5;


            ip_behavior_sensitive;


            ifall ($insensitive_percent >= 0) ($insensitive_percent < 30) {
                set $cond 1;
            }


            fastcgi_pass  127.0.0.1:9000;
            ...
	}


        location @process {
            ns_layer_force_run;
	    
            robot_mitigation on;
            robot_mitigation_mode js;

            fastcgi_pass  127.0.0.1:9000;
            ...
        }
    }
}

Challenge IP address by using limit_req's forbid_action.