[arch-general] IPTables DDoS

Greg Bur pizon at linux-advocacy.org
Wed Jul 21 02:04:05 EDT 2010


On Mon, 2010-07-19 at 22:43 +0530, Nilesh Govindarajan wrote:
> Hi,
> Can someone tell me how to use IPTables to prevent DDoS attacks?
> I'm sure IPTables has the relevant modules (limit, recent I think)
> after reading some docs, but still in doubt about its implementation.
> 

I realize I am late to the party but I use something like the following
to deal with DDoS attacks:

while true; do clear; (echo "Current blocked hosts: " ; echo ; iptables
-vnL INPUT | grep 'tcp dpt:80' | awk '{print $8}'); for i in $(tcpdump
-i eth0 -nn -l -p -s0 -c 10000 dst host 192.168.100.68 and port 80 and
'tcp[13] & 2 = 2' 2>/dev/null| awk '{print $3 | "cut -d. -f1-4 | sort
-t. -n -k1,1 -k2,2 -k3,3 -k4,4 | uniq -c | sort -n"}' | awk '{if ($1 >
100) print $2}'); do (iptables-save | grep $i >/dev/null) || (echo
"Adding block for ip $i"; iptables -I INPUT -s $i -m tcp -p tcp --dport
80 -j DROP) ; done ; iptables -Z INPUT; sleep 10; for ip in $(iptables
-vnL INPUT | grep 'tcp dpt:80' | awk '{if ($1 == 0) print $8}') ; do
(echo "Deleting block on ip $ip" ; iptables -D INPUT -s $ip -m tcp -p
tcp --dport 80 -j DROP) ; done ; done

Obviously you have to tweak the tcpdump parameters to fit the attack but
it's also self-healing.  Once a host stops hitting the server the DROP
rule is removed.  It's more complex and only semi-automatic but when
configured properly you can safely drop it in a screen session and set
it and forget it.

Cheers,

Greg




More information about the arch-general mailing list