[arch-general] IPTables DDoS
C Anthony Risinger
anthony at extof.me
Mon Jul 19 14:31:56 EDT 2010
On Mon, Jul 19, 2010 at 1:07 PM, Nilesh Govindarajan <lists at itech7.com> wrote:
> On Mon, Jul 19, 2010 at 11:14 PM, Heiko Baums <lists at baums-on-web.de> wrote:
>> Am Mon, 19 Jul 2010 22:43:45 +0530
>> schrieb Nilesh Govindarajan <lists at itech7.com>:
>>
>>> Hi,
>>> Can someone tell me how to use IPTables to prevent DDoS attacks?
>>> I'm sure IPTables has the relevant modules (limit, recent I think)
>>> after reading some docs, but still in doubt about its implementation.
>>
>> There's the --limit option against DoS attacks.
>>
>> A good iptables tutorial with some example scripts is here:
>> http://www.frozentux.net/documents/iptables-tutorial/
>>
>> Read at least the chapter "Limit match".
>>
>> Heiko
>>
>
>
> Thanks a lot man. But I have a doubt (may sound quite weird, but I
> really don't know about it).
> Suppose I set this-
> iptables -I INPUT -m limit --limit 1/min --limit-burst 5 -j ACCEPT
> will this affect HTTP connections?
> Basically, how many packets is probably going to constitute one connection?
> What is the recommended setting for the same to prevent DoS?
i dont know a lot about DoS or proper settings, but the connection
doesn't really depend on "packet count" or anything like that. [IIRC]
a connection is established at the TCP level, and is kept alive at
that level. HTTP 1.1 layer 7 "keep-alives" just keep the layer 4/5
TCP connection open. HTTP 1.0 clients may have trouble with
connection limits if you have high request rates, as they must
establish a new connection on each request (again IIRC, could be
flawed).
C Anthony
More information about the arch-general
mailing list