NGINX App Protect DoS Release 2.0

Here you can find the release information for NGINX App Protect DoS v2.0. NGINX App Protect DoS provides behavioral protection against Denial of Service (DoS) for your web applications.

Release 2.0

October 20, 2021

New Features

Protection of gRPC services against application layer Denial of Service attacks:

  • Message flood DoS by gRPC cancellation mechanism - Attacker sends requests to heavy URLs and cancelling those requests by using gRPC cancellation mechanism.
  • Concurrent large requests Attacker supplies a number of concurrent large requests that exceeds the server capacity of concurrent requests.
  • Slow gRPC POST Attacker supplies a number of concurrent slow POST gRPC requests that exceeds the server capacity of concurrent requests.
  • HTTP/2 attack on gRPC service Attacker runs typical DoS HTTP/2 attacks: http flood, slow attacks on gRPC service.

Protection of HTTP/2 services against application layer Denial of Service attacks

Supported Packages

App Protect DoS

CentOS 7.4+ / UBI7
  • app-protect-dos-25+2.0.1-1.el7.ngx.el7.ngx.x86_64.rpm
Debian 10
  • app-protect-dos_25+2.0.1-1~buster_amd64.deb
Ubuntu 18.04
  • app-protect-dos_25+2.0.1-1~bionic_amd64.deb
Ubuntu 20.04
  • app-protect-dos_25+2.0.1-1~focal_amd64.deb

NGINX Plus

  • NGINX Plus R25

Resolved Issues

  • Security log keeps working on removed Protected Objects.

  • Monitoring requests show up in access log.

  • app_protect_dos_name longer than 32 characters creates garbage name in the logs.

  • Created protected objects for the not configured contexts.

  • Wrong reporting of attack status with arbitrator.

  • Wrong impact_rps value in Bad actor expired log message.

  • Rate limit in Access Log should be optional.

Important Notes

  • proxy_request_buffering off is not supported.

  • gRPC and HTTP/2 protection require active monitoring of the protected service. The directive app_protect_dos_monitor is mandatory for these use cases, otherwise, attack will not be detected.

  • gRPC and HTTP/2 protection are available only on Debian 10, Ubuntu 18.04 and Ubuntu 20.04 platforms. For the rest of the platforms, NGINX App Protect DoS does not protect gRPC and HTTP/2 services. The traffic is bypassed.

  • TLS fingerprint feature is not used in CentOS 7.4 due to the old openSSL version. The required openSSL version is 1.1.1 or higher.

  • Slow POST attack always mitigates with block action while other types of attacks can also be mitigated with redirection or JS challenges.

  • New optional configuration parameters of the directive app_protect_dos_monitor to support gRPC and HTTP/2 protocols.

  • Added new fields in Security Log:

    • baseline_dps (datagrams per second) instead of baseline_tps, incoming_datagrams
    • successful_responses instead of successful_transactions
    • unsuccessful_requests instead of unsuccessful_requests_count.
  • In the case of upgrade from previous app-protect-dos version, it’s necessary to remove old nginx-plus and install new app-protect-dos that will install correspondent version of nginx-plus as described in the NGINX App Protect DoS Deployment Guide.


This documentation applies to the following versions of NGINX App Protect DoS: 2.0.