From: Sascha Reissner <sascha.reissner@toxicnet.de>
To: Benoit Panizzon <benoit.panizzon@imp.ch>
Cc: netfilter@lists.netfilter.org
Subject: Re: max-src-conn-rate (Connection rate throttling per IP)
Date: Tue, 30 Aug 2005 15:03:11 +0200 [thread overview]
Message-ID: <4314590F.7050804@toxicnet.de> (raw)
In-Reply-To: <200508301440.59667.benoit.panizzon@imp.ch>
Benoit Panizzon wrote:
> Hi all
>
> I'm looking for a way to prevent connection DOSing of specific services.
>
> The goal is to count the connection rate per conneting ip and then reject
> those connections if they pass a certain limit.
>
> It looks like OpenBSD's pf is the only packet filter (except some commerctial
> Firewalls) which has this ability.
>
> The best I managed with iptables is to throttle the connection rate for a
> specific port, but this of course affecs normal users trying to use that
> service and does not change the fact of the service being DOSed.
>
> The other possibility I found is to write my own userspace QUEUE target
> connection rate tracker via the iptables api. But as I'm not a programmer and
> I think this is a quite common request I just wonder:
>
> Hasn't allready somebody written such a per source connection rate limmiter?
>
> Is there a repository of different userspace QUEUE tools where I could find
> something similar?
>
> Regards
Uhm, why don't you just use features that are already built into
iptables? Like the following:
iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state
--state NEW -m recent --set
iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state
--state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
Just exchange <interface>, <protocol> and <port> and maybe the timspan
and hitcount. This will DROP incoming _new_ connections if they exceed
the counter in a given timeframe. It will resume accepting _new_
connection requests from the given source ip address once the counter to
timespan treshold does not get exceeded.
I use this to prevent simple scripts from bruteforcing my sshd.
Okay you might run into problems if people use forged source ip adresses
since this would also block _new_ connection requests from this ip.
If someone has a smarter idea - let me know.
Regards,
Sascha
next prev parent reply other threads:[~2005-08-30 13:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-30 12:40 max-src-conn-rate (Connection rate throttling per IP) Benoit Panizzon
2005-08-30 12:59 ` Jakub Wartak
2005-08-30 13:03 ` Sascha Reissner [this message]
2005-08-30 23:03 ` Taylor, Grant
2005-08-30 13:07 ` Jakub Wartak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4314590F.7050804@toxicnet.de \
--to=sascha.reissner@toxicnet.de \
--cc=benoit.panizzon@imp.ch \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.