Rate limiting va DDoS protection

1. Rate Limiting — So‘rov tezligini cheklash

Ta’rif:

Rate limiting — bu bir IP-manzil yoki foydalanuvchi tomonidan belgilangan vaqt ichida qilingan so‘rovlar sonini cheklash mexanizmi.

1.1 Maqsadi:

Brute-force hujumlarning oldini olish (masalan, parol taxmin qilish).
API serverni haddan tashqari yuklanishini oldini olish.
DDoS yoki botlar orqali spamni to‘xtatish.

1.2 Misol:

1 IP manzil bir daqiqada faqat 60 ta so‘rov yubora oladi. Aks holda – 429 (Too Many Requests) xatosi qaytariladi.

1.3 Amalga oshirish usullari:

1.3.1 Nginx bilan:

http {
    limit_req_zone $binary_remote_addr zone=api_zone:10m rate=10r/s;

    server {
        location /api/ {
            limit_req zone=api_zone burst=20 nodelay;
            proxy_pass http://backend;
        }
    }
}

Izoh:

10r/s: har bir IP uchun 1 soniyada 10 so‘rovgacha ruxsat.
burst=20: agar so‘rovlar kutilganidan ko‘p bo‘lsa, 20 tasigacha buferda saqlanadi.
nodelay: bufer bo‘lsa ham, so‘rovni kutmasdan yuboradi.

1.3.2 Express.js + `express-rate-limit` bilan:

import rateLimit from "express-rate-limit";

const apiLimiter = rateLimit({
  windowMs: 1 * 60 * 1000, // 1 daqiqa
  max: 100, // 1 daqiqada 100 so‘rovgacha
  message: "Too many requests, please try again later.",
});

app.use("/api/", apiLimiter);

Yaxshi taraflari:

Server resurslari tejaydi
API’ni spamdan himoya qiladi
Foydalanuvchilarga adolatli foydalanish imkonini beradi

2. Nginx + Fail2Ban bilan DDoS va brute-force hujumlardan himoya

Maqsad:

Nginx loglarini kuzatish
Juda ko‘p so‘rov yuborayotgan IP'larni avtomatik bloklash (iptables orqali)

2.1. Nginx konfiguratsiyasi: `nginx.conf` yoki `default.conf` faylida

http {
    # So‘rov tezligini cheklash (Rate limiting)
    limit_req_zone $binary_remote_addr zone=api_zone:10m rate=10r/s;

    # Ulanishlar sonini cheklash
    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

    server {
        listen 80;
        server_name yourdomain.uz;

        # Rate limitni faollashtirish
        location /api/ {
            limit_req zone=api_zone burst=20 nodelay;
            limit_conn conn_limit_per_ip 10;

            access_log /var/log/nginx/api_access.log;
            error_log /var/log/nginx/api_error.log;

            proxy_pass http://localhost:3000;
        }
    }
}

2.2. Fail2Ban konfiguratsiyasi:

2.2.1 `jail.local` faylini tahrirlash:

sudo nano /etc/fail2ban/jail.local

[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5
findtime = 60
bantime = 600

2.3 Filter fayli yaratish:

sudo nano /etc/fail2ban/filter.d/nginx-http-auth.conf

[Definition]
failregex = no user/password was provided for basic authentication.*client: <HOST>
ignoreregex =

Ishga tushirish:

sudo systemctl restart fail2ban
sudo fail2ban-client status

Bloklangan IP’larni ko‘rish:

sudo fail2ban-client status nginx-http-auth

2 Express.js bilan Rate Limiting + IP block

Maqsad:

IP manzilga asoslangan so‘rov cheklov
Juda ko‘p so‘rov yuborgan IP’ni vaqtincha bloklash

1. Paketlarni o‘rnatish:

npm install express-rate-limit express-ipfilter

`server.ts` yoki `server.js`:

import express from "express";
import rateLimit from "express-rate-limit";
import { IpFilter } from "express-ipfilter";

const app = express();

//  1. So‘rov cheklovchi middleware
const limiter = rateLimit({
  windowMs: 1 * 60 * 1000, // 1 daqiqa
  max: 100, // 1 daqiqada 100 ta so‘rovgacha
  message: "Too many requests from this IP. Try again later.",
});
app.use("/api/", limiter);

//  2. IP block qilish (agar kerakli IP ro‘yxati bo‘lsa)
const blockedIPs = ["192.168.1.123", "203.0.113.45"];
app.use(IpFilter(blockedIPs, { mode: "deny" }));

//  3. API endpoint
app.get("/api/data", (req, res) => {
  res.send("API response");
});

//  4. Serverni ishga tushirish
app.listen(3000, () => {
  console.log("Server running on port 3000");
});

Test:

Brauzer orqali http://localhost:3000/api/data ga 100+ marta murojaat qilsangiz → 429 xato olasiz.
blockedIPs ro‘yxatidagi IP’lardan kirilsa → 403 Forbidden bo‘ladi.

Xulosa:

Narsa	Foydasi
Nginx + Fail2Ban	DDoS va bruteforce hujumlarga tarmoq darajasida javob
Express + rate-limit	API darajasida tezlikni boshqarish va IP’larni cheklash
Tavsiya	Ikkalasini birgalikda ishlatish – eng yaxshi amaliyot

3. DDoS Protection — Tarqatilgan hujumlardan himoya

Ta’rif:

DDoS (Distributed Denial of Service) — bu juda ko‘plab soxta foydalanuvchilar (botlar, viruslangan kompyuterlar) orqali serverga millionlab so‘rovlar yuborib uni ishdan chiqarish hujumi.

Maqsadi:

Hujumchi saytni yoki API’ni vaqtincha ishlamasligini xohlaydi. Hujumlar:

TCP/UDP bo‘yicha bo‘lishi mumkin (tarmoq darajasi)
HTTP so‘rovlar orqali bo‘lishi mumkin (application darajasi)

Qarshi chora-tadbirlar:

3.1. Nginx bilan basic DDoS himoya:

limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
server {
    location / {
        limit_conn conn_limit_per_ip 10;
        limit_req zone=api_zone burst=20 nodelay;
    }
}

limit_conn: bir IP manzil bir vaqtning o‘zida faqat 10 ta TCP ulanish qila oladi.

3.2. Fail2Ban bilan:

SSH, Nginx yoki Apache loglarini kuzatadi.
Noto‘g‘ri urinishlar (xatoliklar) ko‘paygan IP'ni iptables orqali bloklaydi.

3.3. Cloudflare (yoki AWS Shield, GCP Armor) orqali:

DNS darajasida himoya.
IP filtratsiya, geolokatsiya bloklash, captcha va boshqalar.

Eng yaxshi amaliyotlar (Best Practices):

Chora	Nima qiladi
Rate limiting	Foydalanuvchi API’dan haddan tashqari foydalanishini cheklaydi
WAF (Web Application Firewall)	Nojo‘ya so‘rovlar (XSS, SQLi) ni filtrlab tashlaydi
Captcha	Botlarga to‘sqinlik qiladi
Fail2Ban	Shubhali IP’larni avtomatik bloklaydi
Geo-blocking	DDoS ko‘p keladigan mamlakat IP’larini cheklaydi
Cloudflare / CDN	Tarmoq darajasida himoya va keshlash

DDoS va Rate Limit o‘rtasidagi farq:

Xususiyat	Rate Limiting	DDoS Protection
Nima qilinadi	IP-so‘rovlar tezligi cheklanadi	Serverni massoviy hujumlardan himoya
Texnik daraja	Application (HTTP)	Network + Application
Qanday vositalar	Nginx, Express, Redis	Fail2Ban, Cloudflare, WAF, IPTables

Xulosa:

Rate Limiting — foydalanuvchi serverdan haddan tashqari foydalanmasligi uchun cheklov.
DDoS Protection — katta miqdorda soxta so‘rovlar orqali serverni ishdan chiqishiga qarshi himoya.

1. Rate Limiting — So‘rov tezligini cheklash​

Ta’rif:​

1.1 Maqsadi:​

1.2 Misol:​

1.3 Amalga oshirish usullari:​

1.3.1 Nginx bilan:​

Izoh:​

1.3.2 Express.js + express-rate-limit bilan:​

Yaxshi taraflari:​

2. Nginx + Fail2Ban bilan DDoS va brute-force hujumlardan himoya​

Maqsad:​

2.1. Nginx konfiguratsiyasi: nginx.conf yoki default.conf faylida​

2.2. Fail2Ban konfiguratsiyasi:​

2.2.1 jail.local faylini tahrirlash:​

2.3 Filter fayli yaratish:​

Ishga tushirish:​

2 Express.js bilan Rate Limiting + IP block​

Maqsad:​

1. Paketlarni o‘rnatish:​

server.ts yoki server.js:​

Test:​

Xulosa:​

3. DDoS Protection — Tarqatilgan hujumlardan himoya​

Ta’rif:​

Maqsadi:​

Qarshi chora-tadbirlar:​

3.1. Nginx bilan basic DDoS himoya:​

3.2. Fail2Ban bilan:​

3.3. Cloudflare (yoki AWS Shield, GCP Armor) orqali:​

Eng yaxshi amaliyotlar (Best Practices):​

DDoS va Rate Limit o‘rtasidagi farq:​

Xulosa:​

1. Rate Limiting — So‘rov tezligini cheklash

Ta’rif:

1.1 Maqsadi:

1.2 Misol:

1.3 Amalga oshirish usullari:

1.3.1 Nginx bilan:

Izoh:

1.3.2 Express.js + `express-rate-limit` bilan:

Yaxshi taraflari:

2. Nginx + Fail2Ban bilan DDoS va brute-force hujumlardan himoya

Maqsad:

2.1. Nginx konfiguratsiyasi: `nginx.conf` yoki `default.conf` faylida

2.2. Fail2Ban konfiguratsiyasi:

2.2.1 `jail.local` faylini tahrirlash:

2.3 Filter fayli yaratish:

Ishga tushirish:

2 Express.js bilan Rate Limiting + IP block

Maqsad:

1. Paketlarni o‘rnatish:

`server.ts` yoki `server.js`:

Test:

Xulosa:

3. DDoS Protection — Tarqatilgan hujumlardan himoya

Ta’rif:

Maqsadi:

Qarshi chora-tadbirlar:

3.1. Nginx bilan basic DDoS himoya:

3.2. Fail2Ban bilan:

3.3. Cloudflare (yoki AWS Shield, GCP Armor) orqali:

Eng yaxshi amaliyotlar (Best Practices):

DDoS va Rate Limit o‘rtasidagi farq:

Xulosa: