iptables limit-burst trouble

iptables limit-burst trouble

[Tsuyoshi Takada]

Hi,

I want to limit Web DoS attack.

I have set the following but it does not work well.

iptables -N flood-chk
iptables -A INPUT     -p tcp --dport 80 --syn -j flood-chk
iptables -A flood-chk -m limit --limit 1/sec --limit-burst 2 -j RETURN
iptables -A flood-chk -j LOG --log-prefix "IPTABLES HTTP FLOOD-PACKET"
iptables -A flood-chk -j DROP

After I accessed to my web site,
I pushed reload button of my web browser repeatedly but 
I was not denied by iptables.
Why?

regards,

-- 
Tsuyoshi Takada <acroyear@gmx.ch>

Re: iptables limit-burst trouble

[Tsuyoshi Takada]

Is there anyone who teach me ...? (;__;)

-- 
Tsuyoshi Takada <acroyear@gmx.ch>

RE: iptables limit-burst trouble

[George Vieira]

my example:

  $IPTABLES -A PREROUTING -i $EXTDEV -t nat -d $DESTIP -m limit --limit 3/minute --limit-burst 3 -j ACCEPT
  $IPTABLES -A PREROUTING -i $EXTDEV -t nat -d $DESTIP -j DROP


work with that(add ports for both etc)... it should accept anything to it's destination ip for 3 packets per minute and drop the rest...

I don't have your original mail so you'll need to tweak to your needs.

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Tsuyoshi Takada [mailto:acroyear@gmx.ch]
Sent: Tuesday, June 10, 2003 1:04 PM
To: Tsuyoshi Takada
Cc: netfilter@lists.netfilter.org
Subject: Re: iptables limit-burst trouble



Is there anyone who teach me ...? (;__;)

-- 
Tsuyoshi Takada <acroyear@gmx.ch>

Re: iptables limit-burst trouble

[Philip Craig]

Tsuyoshi Takada wrote:
> I want to limit Web DoS attack.
> 
> I have set the following but it does not work well.
> 
> iptables -N flood-chk
> iptables -A INPUT     -p tcp --dport 80 --syn -j flood-chk
> iptables -A flood-chk -m limit --limit 1/sec --limit-burst 2 -j RETURN
> iptables -A flood-chk -j LOG --log-prefix "IPTABLES HTTP FLOOD-PACKET"
> iptables -A flood-chk -j DROP
> 
> After I accessed to my web site,
> I pushed reload button of my web browser repeatedly but 
> I was not denied by iptables.
> Why?

These rules work for me.  Note however that if you hit the limit,
your browser will automatically retransmit and succeed if it is at
least 1 second later.  You should notice a delay in loading the
page when the browser has to retransmit.  You should also get the
syslog message.

If you change the DROP to a REJECT, then your browser will display
'connection refused' when it reaches the limit, rather than
retransmitting.  (Using REJECT isn't good for protection against
a DoS attack though, just do this for testing that the rules
are working.)

I would also recommend putting a limit on the rule for the LOG
message, otherwise it is possible to flood your logs.

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances