Protection against DDOS attacks with random arguments using Nginx

I met a new type of botnet. If the old hollowed only in the main, then the new one acts differently. It sends a lot of requests of the form , where someurl is the php script found by the bot. But if the attacked site supports CNC, then such requests to it should be absent in principle. CNC is now the de facto standard, so you can safely cut off such requests by logging IP bots. Nginx is very convenient for this, and its variable is_args , which has a value of "?", If arguments go to the URI. The basic design looks like this: Very simple and beautiful, right? Here's what LA looks like after enabling this protection: The current botnet of ~ 20,000 zombies makes 5-8k simultaneous requests.
GET someurl/?t1555ss5326=5326



if ($is_args = "?") {
return 403 444;
}



load average: 1.50, 3.09, 6.96