On Mon, 2010-07-19 at 22:43 +0530, Nilesh Govindarajan wrote:
Hi, Can someone tell me how to use IPTables to prevent DDoS attacks? I'm sure IPTables has the relevant modules (limit, recent I think) after reading some docs, but still in doubt about its implementation.
I realize I am late to the party but I use something like the following to deal with DDoS attacks: while true; do clear; (echo "Current blocked hosts: " ; echo ; iptables -vnL INPUT | grep 'tcp dpt:80' | awk '{print $8}'); for i in $(tcpdump -i eth0 -nn -l -p -s0 -c 10000 dst host 192.168.100.68 and port 80 and 'tcp[13] & 2 = 2' 2>/dev/null| awk '{print $3 | "cut -d. -f1-4 | sort -t. -n -k1,1 -k2,2 -k3,3 -k4,4 | uniq -c | sort -n"}' | awk '{if ($1 > 100) print $2}'); do (iptables-save | grep $i >/dev/null) || (echo "Adding block for ip $i"; iptables -I INPUT -s $i -m tcp -p tcp --dport 80 -j DROP) ; done ; iptables -Z INPUT; sleep 10; for ip in $(iptables -vnL INPUT | grep 'tcp dpt:80' | awk '{if ($1 == 0) print $8}') ; do (echo "Deleting block on ip $ip" ; iptables -D INPUT -s $ip -m tcp -p tcp --dport 80 -j DROP) ; done ; done Obviously you have to tweak the tcpdump parameters to fit the attack but it's also self-healing. Once a host stops hitting the server the DROP rule is removed. It's more complex and only semi-automatic but when configured properly you can safely drop it in a screen session and set it and forget it. Cheers, Greg