Nginx optimization and security

I have centos with Nginx installed to work as reverse proxy, the issue is Nginx stop response on huge traffic on SSL port even the traffic dropped. example: nginx configured to listed on [login to view URL] on port 80 and 443, in below example, the nginx rule drop connection when User-Agent is around IE6(this is example). when start to make test ddos attack on this config using UA=IE6, on http port, the attack mitigate as well and all attack connection drop very fast,you never feel nginx become slow or anything, no Waiting connections or else, no issue here, but when do same on SSL port, the Nginx stop response on SSL port while it is still response on Http port. when i tried ss command it show listen Queue is full. while HTTP use same backlog size(511). LISTEN 512 511 [login to view URL] i tried to use backlog in nginx listen and increased backlog to 50000(less than [login to view URL]) but after start attack, the Queue will be full less than 30 seconds, the number of IP used to test attack is around 10000 IPs. i found nginx stop response on SSL port due to listen backlog is full on SSL port while it can response on HTTP because it is not full yet, but i dont understand, i used same config and same rules in Server block to Drop connection on special rule. normally nginx should drop connection on both HTTP and SSL port. but on SSL port it keep connection as CLOSE_WAIT OR LAST_ACK, example of conf: server { listen [login to view URL]; server_name [login to view URL]; location / { if ($http_user_agent ~* "IE6" ) { return 444; } return 200 "default page"; add_header Content-Type text/html; } } server { listen [login to view URL] ssl; server_name [login to view URL]; ssl_certificate [login to view URL]; ssl_certificate_key [login to view URL]; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_session_cache shared:SSL:500m; ssl_session_timeout 10m; location / { if ($http_user_agent ~* "IE6" ) { return 444; } return 200 "default page"; add_header Content-Type text/html; } } example of [login to view URL]: net.ipv4.ip_local_port_range = 18000 65535 net.ipv4.tcp_max_syn_backlog = 65535 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_moderate_rcvbuf = 1 [login to view URL] = 65535 net.core.netdev_max_backlog = 65535 # net.nf_conntrack_max = 500000 net.netfilter.nf_conntrack_max = 500000 net.netfilter.nf_conntrack_tcp_timeout_established = 900 net.netfilter.nf_conntrack_generic_timeout = 30 net.netfilter.nf_conntrack_tcp_timeout_close = 30 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 30 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 30 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 30 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30 # net.ipv4.tcp_max_tw_buckets = 500000 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_rfc1337 = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 # net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 30 net.ipv4.tcp_keepalive_intvl = 30 net.ipv4.tcp_keepalive_probes = 30 # net.core.rmem_max = 33554432 net.core.wmem_max = 33554432 net.ipv4.tcp_rmem = 10240 87380 33554432 net.ipv4.tcp_wmem = 10240 87380 33554432 Please dont offer if you are newbie of Nginx, i need professional experts. dont need those search google for nginx config. need professional advise. I need someone to solve this issue and help me configure nginx to work as reserve proxy and serve 1000 websites.