Detections
Analytics

5.2.4 Ensure the number of connections per IP address is limited

Information

NGINX's ngx_http_limit_conn_module provides a mechanism to limit the number of simultaneous connections from a single client IP address. This is achieved in two steps:

 - limit_conn_zone : This directive, typically defined in the http block, creates a shared memory zone to store the state for each client IP address.
 - limit_conn : This directive, applied in a server or location block, enforces a specific connection limit using the previously defined zone.

When a client exceeds this limit, NGINX will reject new connections with a 503 Service Temporarily Unavailable error.

The primary purpose of connection limiting is to mitigate resource exhaustion and certain types of Denial of Service (DoS) attacks where an attacker opens many connections and holds them open for as long as possible. It is a different tool than rate limiting ( limit_req ), which is designed to stop rapid-fire requests (like brute-force attacks). By enforcing a reasonable connection limit, the server can prevent a single malicious or misconfigured client from consuming an unfair share of worker connections.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

First, define a shared memory zone in the http block. Then, apply a carefully considered limit in the server or location context.

Understanding the zone size: The memory usage for the $binary_remote_addr key is fixed ( 64 bytes on a 64-bit system ). Therefore, 1 megabyte of zone memory can store approximately 16,384 states. A 10m zone can store over 160,000 states.

Example Configuration:

http {

 # Define a 10MB zone named 'per_ip' to track connections by IP.
 # $binary_remote_addr is more memory-efficient than $remote_addr.
 limit_conn_zone $binary_remote_addr zone=per_ip:10m;

 server {

 # Apply a general limit of 20 connections per IP for this server.
 # This might be a reasonable starting point for a public site.
 limit_conn per_ip 20;

 # For a resource-intensive download area, apply a stricter limit.
 location /downloads/ {
 limit_conn per_ip 5;
 }
 }
}

Impact:

This is a critical consideration. A single public IP address can represent thousands of individual users behind a large corporate NAT, a university campus, or a Carrier-Grade NAT (CG-NAT) from a mobile provider. Setting the connection limit too low will block legitimate users in these scenarios. The appropriate limit is a delicate balance and depends entirely on the target audience. A public-facing website requires a much higher limit than a restricted admin interface.

See Also

https://workbench.cisecurity.org/benchmarks/18528

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-3, CSCv7|18.1

Plugin: Unix

Control ID: b864896bf6ecf96ace1fe51f89439df4f2a12ad60ec042141ae9b6086a5ff786