From: alvin.ml@Mail.DDoS-Mitigator.net
To: Josh Day <conna666@gmail.com>
Cc: netfilter@vger.kernel.org, alvin.ml@Mail.DDoS-Mitigator.net
Subject: Re: iptables TCP DDoS filtering
Date: Tue, 5 Jul 2016 12:08:49 -0700 [thread overview]
Message-ID: <20160705190849.GA26405@Mail.DDoS-Mitigator.net> (raw)
In-Reply-To: <loom.20160705T084958-392@post.gmane.org>
On 07/05/16 at 06:53am, Josh Day wrote:
> I'm curious if anyone of you has read this article
> https://javapipe.com/iptables-ddos-protection and tried any of the
> rules/settings. I read it today but I'm not sure what to make of it, so
> thought you guys could maybe share your opinion.
i've seen/read most of the various articles/howto/snipplets of using
iptables for ddos mitigation .. the list of various iptables howto
for ddos mitigation at the bottom of http://iptables-blacklist.net/Howto
some of the rules in javapipe.com seems way tooo complicated ...
( i think pre-routing and post-routing is un-necessary )
#
# more importantly, the iptables rules in javapipe is incomplete and
# "droping" packets is NOT ddos mitigation because you already received
# the packets.
#
the sysctl variables should be tuned per your server, cpu/mem, bandwidth,
and amt and type of DDoS attacks
i keep wondering which of the big brand-name ddos mitigation appliances
are using iptables under the hood ( under their "propritory os" )
i claim iptables + tarpit is ideal to defend against tcp-based ddos
attacks ... the attacking zombie-host has to sit and wait the
tcp-timeout .. there are roughly 65,535 tcp-ports that should
be protected with tarpits :-) .. how one builds the LAMP servers
and how the network infrastrucure is configugred greatly affects
your ability to mitigate tcp-based ddos attacks
---
i think that dropping or limiting icmp-based or udp-based attacks are
pointless since you've already received the ddos packets
udp-based and icmp-based attacks must be mitigated at the uplink ISP
and not at the server under attack
also, limiting incoming is sorta misleading, since you cannot
limit/stop/block/drop incoming packets. you can only limit which
of the incoming packets you are replying to
there are some icmp-packets you should reply to while ignoring
un-necessary and un-used udp services
there are some udp-packets you should reply to while ignoring
un-necessary and un-used udp services
magic pixie dust
alvin
#
# DDoS-Mitigator.net ... automated tcp-based iptables + tarpits
# DDoS-Simulator.net
#
next prev parent reply other threads:[~2016-07-05 19:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-05 6:53 iptables TCP DDoS filtering Josh Day
2016-07-05 19:08 ` alvin.ml [this message]
2016-07-06 7:07 ` John Wayne
2016-07-06 15:16 ` alvin.ml
2016-07-05 20:51 ` Neal P. Murphy
2016-07-06 8:29 ` Antonio Prado
2016-07-06 14:21 ` alvin.ml
2016-07-06 15:36 ` Antonio Prado
2016-07-06 17:45 ` alvin.ml
2016-07-06 19:13 ` Neal P. Murphy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160705190849.GA26405@Mail.DDoS-Mitigator.net \
--to=alvin.ml@mail.ddos-mitigator.net \
--cc=conna666@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.