nginx如何阻止这个轻量级的DDoS

我有一个电影相关的Wordpress网站运行一个大型数据库（大约150K的职位）。 在重要的交通时间里的某些日子里，我们会受到一个小规模的DDoS的影响，这个DDoS会极大地降低站点的速度，甚至会导致它下降几分钟。

这个DDoS攻击针对的是我们网站的searchfunction，由于这个post很多，所以会占用大量的资源。

由于我对nginx的正则expression式不是很熟悉，我想知道如何阻止这种模式的请求（我检查了IP，但显然是一个僵尸networking）：

107.xxx.xxx.xxx - - [26/Jan/2015:20:48:24 +0000] "GET /?s=Dog%20Days%20Double%20Dash HTTP/1.1" 200 12921 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firef$ 79.xx.xxx.xxx - - [26/Jan/2015:20:48:29 +0000] "GET /?s=Dog%20Days%27%27 HTTP/1.1" 200 12908 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 77.xxx.xxx.xx - - [26/Jan/2015:20:48:48 +0000] "GET /?s=DragonBall%20Z%3A%20Movie%206 HTTP/1.1" 200 12921 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 68.xxx.xxx.xxx - - [26/Jan/2015:20:48:51 +0000] "GET /?s=DragonBall%20Z%3A%20Movie%207 HTTP/1.1" 200 12920 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 87.1xx.xxx.xxx - - [26/Jan/2015:20:49:02 +0000] "GET /?s=DragonBall%20Z%3A%20Super%20Saiyajin%20Songoku HTTP/1.1" 200 12944 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 

这显然是一个攻击，因为searchstring包含一些随机的词，其间有％20个空格。 如果用户使用空格inputsearchstring，wordpress用“+”号replace它们。 所以它会看起来像这样“/ s = word1 + word2 + word3 …

• Nginx：Syslog输出错误位置的标签
• 负载为0，但网站爬行（有时）。 是什么赋予了？
• Nginx作为只有dynamic内容的Apache的反向代理？
• 如何只运行脚本如果负载平衡器不通过bash脚本路由请求到它？
• redmine安装后会出现404错误

我提供的例子只是这些请求的一个片段。 在访问日志中有数百个这样的请求。 有时甚至高达每秒30。 此外，这些ips来自世界各地，大约90％的访问者来自德语国家

我想可能会阻止这些“％20”，因为来自有效search请求的用户的空格将被replace为“+”的WordPress

这是访问日志的另一个片段，完整的ips：

 84.120.1.249 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2005 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 93.116.219.207 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%207 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 77.198.194.177 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2004 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 220.135.124.201 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Kai HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 93.199.176.64 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Detektiv%20Conan%20Film%202%20Das%2014.%20Ziel HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 122.117.101.17 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2003 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 81.48.128.58 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%207 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 94.248.215.168 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Detektiv%20Conan%20Film%2015%20Die%2015%20Minuten%20der%20Stille HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 87.97.29.170 - - [25/Jan/2015:20:21:49 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Dead%20Zone HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 79.5.183.62 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2010 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 2.8.52.254 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%208 HTTP/1.1" 499 0 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 151.32.105.251 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Detektiv%20Conan%20Film%2015%20Die%2015%20Minuten%20der%20Stille HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 88.167.158.37 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2012 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 175.142.209.188 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Detektiv%20Conan%20Movie%202%3A%20Das%2014.%20Ziel HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 24.150.82.126 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2005 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 80.99.0.149 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Dead%20Zone HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 109.192.242.158 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Kai HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 109.61.92.185 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%208 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 109.89.45.188 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%20Movie%2012 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 188.129.122.30 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Detektiv%20Conan%20Film%2015%20Die%2015%20Minuten%20der%20Stille HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 87.218.93.189 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Film%2004 HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 178.7.131.219 - - [25/Jan/2015:20:21:50 +0000] "GET /?s=Dragon%20Ball%20Z%3A%20Dead%20Zone HTTP/1.1" 502 383 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0" 

 if ($arg_s ~ %20) { return 403; }