Re: over a 1,000,000,000 individual ips to block

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Feizhou <feizhou@linuxmail.org>
To: Alex Sirbu <alex@as.ro>
Cc: netfilter@lists.netfilter.org
Subject: Re: over a 1,000,000,000 individual ips to block
Date: Mon, 28 Jun 2004 22:14:00 +0800	[thread overview]
Message-ID: <40E027A8.9080402@linuxmail.org> (raw)
In-Reply-To: <45879.194.102.197.244.1088430724.squirrel@www.as.ro>

Alex Sirbu wrote:
>>Alex Sirbu wrote:
>>
>>>For blocking pourposes why don't you use blackholes ?
>>>I have a webserver that is permanently under DoS attacks , so I use blackholes.
>>>
>>>Routing table can have million of rules or static routes, so is not a problem .
>>>
>>>Let's say you want to block ip 11.22.33.44 . just type :
>>>
>>>#ip route add blackhole 11.22.33.44/32
>>>
>>>and all packets to 11.22.33.44  will be discarded.
>>
>>All packets to 11.22.33.44 is discarded...but will 11.22.33.44 be able
>>to generate a connection socket?
> 
> 
> if you put a blackhole to destination, all pakets to that ip addres will get "Network is
> unrecheable" so a TCP connection will never be established.

So if my problem was that 11.22.33.44 was taking up all my SMTP 
connections, doing ip route add blackhole 11.22.33.44/32 means that all 
my ACK's get discarded silently and if the blackhole was done locally 
the processes just get a EINVAL error. So basically MY processes have to 
wait for a timeout. What I'd rather achieve is that the SYN from 
11.22.33.44 not even get through.

Looks like it's still something for iptables.

next prev parent reply	other threads:[~2004-06-28 14:14 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-06-24 14:57 over a 1,000,000,000 individual ips to block Timothy Webster
2004-06-28 12:45 ` Michael Gale
2004-06-28 13:04   ` Alex Sirbu
2004-06-28 13:36     ` Feizhou
2004-06-28 13:52       ` Alex Sirbu
2004-06-28 14:14         ` Feizhou [this message]
2004-06-28 13:20   ` Feizhou
2004-06-28 16:31     ` Michael Gale
  -- strict thread matches above, loose matches on Subject: below --
2004-06-29 11:04 Timothy Webster
2004-06-29 11:43 ` Feizhou

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=40E027A8.9080402@linuxmail.org \
    --to=feizhou@linuxmail.org \
    --cc=alex@as.ro \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.