How best to thwart DDoS bots that make requests to rewritten version of domain (nginx)?

Discussion in 'Installation/Configuration' started by cbj4074, Feb 9, 2017.

  1. cbj4074

    cbj4074 Member

    I have a persistent DDoS scenario in which bots are making requests (POST requests, in particular) to the / route at a given domain.

    Up until recently, the bots were attacking the "preferred" version of the domain, with the www subdomain, e.g., www.domain.tld, but when I added nginx rules to stifle that activity, they began doing the same to the non-www version of the domain.

    This is what I had put in place to prevent excessive logging and wasteful POST requests to a URL that doesn't do anything with them:

      location = / {
         access_log off;
         error_log off;
         limit_except GET {
           deny  all;
    It seems the problem now is that no part of the above snippet is relevant when the request is made to the www version of the domain.

    For whatever reason, nginx seems to log requests to the / route prior to processing the rewrite directive that ISPConfig puts in place when the * => domain.tld option is selected in the Site's Redirect -> SEO Redirect dropdown menu.

    The resultant nginx directives look like this, in the effective vhost file that ISPConfig generates:

      server_name domain.tld *.domain.tld;
      root  /var/www/domain.tld/web/;
      if ($http_host != "www.domain.tld") {
      rewrite ^ $scheme://www.domain.tld$request_uri? permanent;
    Given the constraints that ISPConfig places upon the nginx config (specifically, the fact that the Options -> nginx Directives input content is placed after everything else), what might I do to mitigate this abusive bot behavior, given the aforementioned?

    Any suggestions would be greatly appreciated!
    Last edited: Feb 9, 2017

Share This Page