1

In nginx to drop connection I can return 444, however there is a problem with that IMO. It seems that 444 doesn't silently drop the connection, but actually closes it gracefully, as a result tools that all these spammers use will rapidly retry the request:

149.56.28.239 - - [22/Sep/2016:20:33:18 +0200] "PROPFIND /webdav/ HTTP/1.1" 444 0 "-" "WEBDAV Client"
149.56.28.239 - - [22/Sep/2016:20:33:18 +0200] "PROPFIND /webdav/ HTTP/1.1" 444 0 "-" "WEBDAV Client"

is there a way to abort tcp (not gracefully as if my server was suddenly unplugged from the net) so that on the requester end it would continue waiting? Are there any drawbacks/problems with that and is that possible with nginx?

To drop requests without Host header in nginx you use the following config:

server {
    listen      80;
    return      444;
}

Is there a way to handle some of these requests for example if requested url matches some regex?

Pavel P
  • 15,789
  • 11
  • 79
  • 128
  • 1
    I would imagine that you might be able to do something like this with lua? Doesn't look like the default set of directives has anything that would just abort the request. – cnst Jul 27 '17 at 23:53
  • 1
    @cnst return 444 was meant to do that from nginx docs, but it looks like it actually closes socket as there is no such os api to forget about tcp socket without notifying remote in any way. – Pavel P Jul 28 '17 at 00:10
  • Oh, I see — you're right — it produces an empty response (w/o even a header), but does close the TCP connection. If you really want to pursue this, I would imagine, apart from dropping the connection from within nginx, you may also want to add the offending IP addresses to the firewall to have them blocked. The easiest solution would probably be a script that tails the log, and blocks the address. However, realistically, some of these requests are simply folks doing internet research, so, I don't think it necessarily makes sense to blacklist them like that. – cnst Jul 28 '17 at 00:32
  • 1
    BTW, as per https://stackoverflow.com/q/46147009/1122270, it might not actually be possible -- it looks like even [tcpdrop(8)](http://mdoc.su/-/tcpdrop.8) send an `RST` packet when dropping the connection (at least on OpenBSD it does). – cnst Sep 11 '17 at 03:46

0 Answers0