Why is nginx taking so long to reply?

Question

I'm under a DDOS attack right now, and the attacker has his zombies sending POST requests to one of my pages. At first, nginx replies in only a few seconds, but after a while it starts building up; nginx is taking 10 minutes to finish the responses to these requests! But why? I can't understand why. I can't even figure out why I can't stop it.

I've got these set:

    client_header_timeout 5;
    client_body_timeout 5;
    keepalive_timeout 5 30;
    send_timeout 5;

So should it not be timing out after 5 seconds? Why does it continue to 600 seconds or more? Is there a way I can figure out what type of attack this is? Slow header? Slow POST? How can I detect what this attack is and how can I stop it?

It should also be noted that the connections are passing through a load balancer and a Squid Cache reverse proxy, so the only way I can read the clients' true IP is through specific HTTP headers

Did you analyze Nginx's `error.log` ? – Alexander Azarov Feb 27 '12 at 11:27 — Alexander Azarov, Feb 27 '12 at 11:27

score 1 · Answer 1 · answered Feb 27 '12 at 10:19

1

It will be hard to figure it out like this; I would suggest a full packet tcpdump of one of DDoS sources and then analyze what he is doing in wireshark or some other tool for inspecting captured data.

answered Feb 27 '12 at 10:19

Hrvoje Špoljar

5,162
25
42

Why is nginx taking so long to reply?

1 Answers1