[arch-general] IPTables DDoS

Nilesh Govindarajan lists at itech7.com
Mon Jul 19 14:33:49 EDT 2010 

On Tue, Jul 20, 2010 at 12:01 AM, C Anthony Risinger <anthony at extof.me> wrote:
> On Mon, Jul 19, 2010 at 1:07 PM, Nilesh Govindarajan <lists at itech7.com> wrote:
>> On Mon, Jul 19, 2010 at 11:14 PM, Heiko Baums <lists at baums-on-web.de> wrote:
>>> Am Mon, 19 Jul 2010 22:43:45 +0530
>>> schrieb Nilesh Govindarajan <lists at itech7.com>:
>>>
>>>> Hi,
>>>> Can someone tell me how to use IPTables to prevent DDoS attacks?
>>>> I'm sure IPTables has the relevant modules (limit, recent I think)
>>>> after reading some docs, but still in doubt about its implementation.
>>>
>>> There's the --limit option against DoS attacks.
>>>
>>> A good iptables tutorial with some example scripts is here:
>>> http://www.frozentux.net/documents/iptables-tutorial/
>>>
>>> Read at least the chapter "Limit match".
>>>
>>> Heiko
>>>
>>
>>
>> Thanks a lot man. But I have a doubt (may sound quite weird, but I
>> really don't know about it).
>> Suppose I set this-
>> iptables -I INPUT -m limit --limit 1/min --limit-burst 5 -j ACCEPT
>> will this affect HTTP connections?
>> Basically, how many packets is probably going to constitute one connection?
>> What is the recommended setting for the same to prevent DoS?
>
> i dont know a lot about DoS or proper settings, but the connection
> doesn't really depend on "packet count" or anything like that.  [IIRC]
> a connection is established at the TCP level, and is kept alive at
> that level.  HTTP 1.1 layer 7 "keep-alives" just keep the layer 4/5
> TCP connection open.  HTTP 1.0 clients may have trouble with
> connection limits if you have high request rates, as they must
> establish a new connection on each request (again IIRC, could be
> flawed).
>
> C Anthony
>

So instead of using packet limiter, should I use connlimit module?
But using connlimit module will block all connections after the max
no. of conns are reached which isn't the desired behavior. I think
using connlimit with the recent module will help.
Any suggestions?

-- 
Regards,
Nilesh Govindarajan
Facebook: http://www.facebook.com/nilesh.gr
Twitter: http://twitter.com/nileshgr
Website: http://www.itech7.com
VPS Hosting: http://j.mp/arHk5e

More information about the arch-general mailing list