max-src-conn-rate (Connection rate throttling per IP)

max-src-conn-rate (Connection rate throttling per IP)

[Benoit Panizzon]

[-- Attachment #1: Type: text/plain, Size: 1402 bytes --]

Hi all

I'm looking for a way to prevent connection DOSing of specific services.

The goal is to count the connection rate per conneting ip and then reject 
those connections if they pass a certain limit.

It looks like OpenBSD's pf is the only packet filter (except some commerctial 
Firewalls) which has this ability.

The best I managed with iptables is to throttle the connection rate for a 
specific port, but this of course affecs normal users trying to use that 
service and does not change the fact of the service being DOSed.

The other possibility I found is to write my own userspace QUEUE target 
connection rate tracker via the iptables api. But as I'm not a programmer and 
I think this is a quite common request I just wonder:

Hasn't allready somebody written such a per source connection rate limmiter?

Is there a repository of different userspace QUEUE tools where I could find 
something similar?

Regards
-- 
Benoît Panizzon, <bp@imp.ch>
------------------------------------------------------------------------
ImproWare AG, UNIXSP & ISP                   Phone:   +41 61 826 93 00
			     Kabelinternet-Hotline:   +41 61 826 93 07
Zurlindenstrasse 29                            Fax:   +41 61 826 93 01
CH-4133 Pratteln                               Net:   http://www.imp.ch/
------------------------------------------------------------------------

[-- Attachment #2: Type: application/pgp-signature, Size: 185 bytes --]

Re: max-src-conn-rate (Connection rate throttling per IP)

[Jakub Wartak]

Dnia wtorek, 30 sierpnia 2005 14:40, Benoit Panizzon napisa³:
> Hi all
>
> I'm looking for a way to prevent connection DOSing of specific services.
>
> The goal is to count the connection rate per conneting ip and then reject
> those connections if they pass a certain limit.
>
> It looks like OpenBSD's pf is the only packet filter (except some
> commerctial Firewalls) which has this ability.
>
> The best I managed with iptables is to throttle the connection rate for a
> specific port, but this of course affecs normal users trying to use that
> service and does not change the fact of the service being DOSed.
>
> The other possibility I found is to write my own userspace QUEUE target
> connection rate tracker via the iptables api. But as I'm not a programmer
> and I think this is a quite common request I just wonder:
>
> Hasn't allready somebody written such a per source connection rate
> limmiter?
>

Have you tried hashlimit ?

ex1. ( not tested ): 

# seems that hashlimit doesn't support negation ( "!" )
# example way to achieve the same result:
iptables -t raw -N ANTIDOS
iptables -t raw -A ANTIDOS -m hashlimit --hashlimit 5/s \
	--hashlimit-name limitDoS --hashlimit-mode srcip,dstport -j ACCEPT
iptables -t raw -A ANTIDOS -j DROP

iptables -t raw -A PREROUTING -i eth0 -p tcp --syn -j ANTIDOS

Another idea is to add "bad" IPs to recent list and then drop all traffic from 
them for example for 12 hours.

You could also use connlimit.

-- 
Jakub Wartak
-vnull
FreeBSD/OpenBSD/Linux/Solaris/Network Administrator

Re: max-src-conn-rate (Connection rate throttling per IP)

[Sascha Reissner]

Benoit Panizzon wrote:
> Hi all
> 
> I'm looking for a way to prevent connection DOSing of specific services.
> 
> The goal is to count the connection rate per conneting ip and then reject 
> those connections if they pass a certain limit.
> 
> It looks like OpenBSD's pf is the only packet filter (except some commerctial 
> Firewalls) which has this ability.
> 
> The best I managed with iptables is to throttle the connection rate for a 
> specific port, but this of course affecs normal users trying to use that 
> service and does not change the fact of the service being DOSed.
> 
> The other possibility I found is to write my own userspace QUEUE target 
> connection rate tracker via the iptables api. But as I'm not a programmer and 
> I think this is a quite common request I just wonder:
> 
> Hasn't allready somebody written such a per source connection rate limmiter?
> 
> Is there a repository of different userspace QUEUE tools where I could find 
> something similar?
> 
> Regards

Uhm, why don't you just use features that are already built into 
iptables? Like the following:

iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state 
--state NEW -m recent --set
iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state 
--state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP

Just exchange <interface>, <protocol> and <port> and maybe the timspan 
and hitcount. This will DROP incoming _new_ connections if they exceed 
the counter in a given timeframe. It will resume accepting _new_ 
connection requests from the given source ip address once the counter to 
timespan treshold does not get exceeded.

I use this to prevent simple scripts from bruteforcing my sshd.

Okay you might run into problems if people use forged source ip adresses 
since this would also block _new_ connection requests from this ip.

If someone has a smarter idea - let me know.

Regards,
Sascha

Re: max-src-conn-rate (Connection rate throttling per IP)

[Jakub Wartak]

Dnia wtorek, 30 sierpnia 2005 14:40, Benoit Panizzon napisa³:
> Hi all
>
> I'm looking for a way to prevent connection DOSing of specific services.
>
> The goal is to count the connection rate per conneting ip and then reject
> those connections if they pass a certain limit.
>
> It looks like OpenBSD's pf is the only packet filter (except some
> commerctial Firewalls) which has this ability.
>
> The best I managed with iptables is to throttle the connection rate for a
> specific port, but this of course affecs normal users trying to use that
> service and does not change the fact of the service being DOSed.
>
> The other possibility I found is to write my own userspace QUEUE target
> connection rate tracker via the iptables api. But as I'm not a programmer
> and I think this is a quite common request I just wonder:
>
> Hasn't allready somebody written such a per source connection rate
> limmiter?
>

Have you tried hashlimit ?

ex1. ( not tested ): 

# seems that hashlimit doesn't support negation ( "!" )
# example way to achieve the same result:
iptables -t raw -N ANTIDOS
iptables -t raw -A ANTIDOS -m hashlimit --hashlimit 5/s \
        --hashlimit-name limitDoS --hashlimit-mode srcip,dstport -j ACCEPT
iptables -t raw -A ANTIDOS -j DROP

iptables -t raw -A PREROUTING -i eth0 -p tcp --syn -j ANTIDOS

Another idea is to add "bad" IPs to recent list and then drop all traffic from 
them for example for 12 hours.

You could also use connlimit.

-- 
Jakub Wartak
-vnull
FreeBSD/OpenBSD/Linux/Solaris/Network Administrator

Re: max-src-conn-rate (Connection rate throttling per IP)

[Taylor, Grant]

Sascha Reissner wrote:
> iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state
> --state NEW -m recent --set
> iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state
> --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
> Okay you might run into problems if people use forged source ip adresses
> since this would also block _new_ connection requests from this ip.
> 
> If someone has a smarter idea - let me know.

Why don't you add the "--rttl" parameter to the recent match extension.  Here is a quote from "iptables -m recent -h" output explaining it "For check and update commands above.  Specifies that the match will only occur if the source address and the TTL match between this packet and the one which was set.  Useful if you have problems with people spoofing their source address in order to DoS you via this module."



Grant. . . .