* max-src-conn-rate (Connection rate throttling per IP)
@ 2005-08-30 12:40 Benoit Panizzon
2005-08-30 12:59 ` Jakub Wartak
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Benoit Panizzon @ 2005-08-30 12:40 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1402 bytes --]
Hi all
I'm looking for a way to prevent connection DOSing of specific services.
The goal is to count the connection rate per conneting ip and then reject
those connections if they pass a certain limit.
It looks like OpenBSD's pf is the only packet filter (except some commerctial
Firewalls) which has this ability.
The best I managed with iptables is to throttle the connection rate for a
specific port, but this of course affecs normal users trying to use that
service and does not change the fact of the service being DOSed.
The other possibility I found is to write my own userspace QUEUE target
connection rate tracker via the iptables api. But as I'm not a programmer and
I think this is a quite common request I just wonder:
Hasn't allready somebody written such a per source connection rate limmiter?
Is there a repository of different userspace QUEUE tools where I could find
something similar?
Regards
--
Benoît Panizzon, <bp@imp.ch>
------------------------------------------------------------------------
ImproWare AG, UNIXSP & ISP Phone: +41 61 826 93 00
Kabelinternet-Hotline: +41 61 826 93 07
Zurlindenstrasse 29 Fax: +41 61 826 93 01
CH-4133 Pratteln Net: http://www.imp.ch/
------------------------------------------------------------------------
[-- Attachment #2: Type: application/pgp-signature, Size: 185 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: max-src-conn-rate (Connection rate throttling per IP)
2005-08-30 12:40 max-src-conn-rate (Connection rate throttling per IP) Benoit Panizzon
@ 2005-08-30 12:59 ` Jakub Wartak
2005-08-30 13:03 ` Sascha Reissner
2005-08-30 13:07 ` Jakub Wartak
2 siblings, 0 replies; 5+ messages in thread
From: Jakub Wartak @ 2005-08-30 12:59 UTC (permalink / raw)
To: netfilter
Dnia wtorek, 30 sierpnia 2005 14:40, Benoit Panizzon napisa³:
> Hi all
>
> I'm looking for a way to prevent connection DOSing of specific services.
>
> The goal is to count the connection rate per conneting ip and then reject
> those connections if they pass a certain limit.
>
> It looks like OpenBSD's pf is the only packet filter (except some
> commerctial Firewalls) which has this ability.
>
> The best I managed with iptables is to throttle the connection rate for a
> specific port, but this of course affecs normal users trying to use that
> service and does not change the fact of the service being DOSed.
>
> The other possibility I found is to write my own userspace QUEUE target
> connection rate tracker via the iptables api. But as I'm not a programmer
> and I think this is a quite common request I just wonder:
>
> Hasn't allready somebody written such a per source connection rate
> limmiter?
>
Have you tried hashlimit ?
ex1. ( not tested ):
# seems that hashlimit doesn't support negation ( "!" )
# example way to achieve the same result:
iptables -t raw -N ANTIDOS
iptables -t raw -A ANTIDOS -m hashlimit --hashlimit 5/s \
--hashlimit-name limitDoS --hashlimit-mode srcip,dstport -j ACCEPT
iptables -t raw -A ANTIDOS -j DROP
iptables -t raw -A PREROUTING -i eth0 -p tcp --syn -j ANTIDOS
Another idea is to add "bad" IPs to recent list and then drop all traffic from
them for example for 12 hours.
You could also use connlimit.
--
Jakub Wartak
-vnull
FreeBSD/OpenBSD/Linux/Solaris/Network Administrator
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: max-src-conn-rate (Connection rate throttling per IP)
2005-08-30 12:40 max-src-conn-rate (Connection rate throttling per IP) Benoit Panizzon
2005-08-30 12:59 ` Jakub Wartak
@ 2005-08-30 13:03 ` Sascha Reissner
2005-08-30 23:03 ` Taylor, Grant
2005-08-30 13:07 ` Jakub Wartak
2 siblings, 1 reply; 5+ messages in thread
From: Sascha Reissner @ 2005-08-30 13:03 UTC (permalink / raw)
To: Benoit Panizzon; +Cc: netfilter
Benoit Panizzon wrote:
> Hi all
>
> I'm looking for a way to prevent connection DOSing of specific services.
>
> The goal is to count the connection rate per conneting ip and then reject
> those connections if they pass a certain limit.
>
> It looks like OpenBSD's pf is the only packet filter (except some commerctial
> Firewalls) which has this ability.
>
> The best I managed with iptables is to throttle the connection rate for a
> specific port, but this of course affecs normal users trying to use that
> service and does not change the fact of the service being DOSed.
>
> The other possibility I found is to write my own userspace QUEUE target
> connection rate tracker via the iptables api. But as I'm not a programmer and
> I think this is a quite common request I just wonder:
>
> Hasn't allready somebody written such a per source connection rate limmiter?
>
> Is there a repository of different userspace QUEUE tools where I could find
> something similar?
>
> Regards
Uhm, why don't you just use features that are already built into
iptables? Like the following:
iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state
--state NEW -m recent --set
iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state
--state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
Just exchange <interface>, <protocol> and <port> and maybe the timspan
and hitcount. This will DROP incoming _new_ connections if they exceed
the counter in a given timeframe. It will resume accepting _new_
connection requests from the given source ip address once the counter to
timespan treshold does not get exceeded.
I use this to prevent simple scripts from bruteforcing my sshd.
Okay you might run into problems if people use forged source ip adresses
since this would also block _new_ connection requests from this ip.
If someone has a smarter idea - let me know.
Regards,
Sascha
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: max-src-conn-rate (Connection rate throttling per IP)
2005-08-30 13:03 ` Sascha Reissner
@ 2005-08-30 23:03 ` Taylor, Grant
0 siblings, 0 replies; 5+ messages in thread
From: Taylor, Grant @ 2005-08-30 23:03 UTC (permalink / raw)
To: netfilter
Sascha Reissner wrote:
> iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state
> --state NEW -m recent --set
> iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state
> --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
> Okay you might run into problems if people use forged source ip adresses
> since this would also block _new_ connection requests from this ip.
>
> If someone has a smarter idea - let me know.
Why don't you add the "--rttl" parameter to the recent match extension. Here is a quote from "iptables -m recent -h" output explaining it "For check and update commands above. Specifies that the match will only occur if the source address and the TTL match between this packet and the one which was set. Useful if you have problems with people spoofing their source address in order to DoS you via this module."
Grant. . . .
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: max-src-conn-rate (Connection rate throttling per IP)
2005-08-30 12:40 max-src-conn-rate (Connection rate throttling per IP) Benoit Panizzon
2005-08-30 12:59 ` Jakub Wartak
2005-08-30 13:03 ` Sascha Reissner
@ 2005-08-30 13:07 ` Jakub Wartak
2 siblings, 0 replies; 5+ messages in thread
From: Jakub Wartak @ 2005-08-30 13:07 UTC (permalink / raw)
To: netfilter
Dnia wtorek, 30 sierpnia 2005 14:40, Benoit Panizzon napisa³:
> Hi all
>
> I'm looking for a way to prevent connection DOSing of specific services.
>
> The goal is to count the connection rate per conneting ip and then reject
> those connections if they pass a certain limit.
>
> It looks like OpenBSD's pf is the only packet filter (except some
> commerctial Firewalls) which has this ability.
>
> The best I managed with iptables is to throttle the connection rate for a
> specific port, but this of course affecs normal users trying to use that
> service and does not change the fact of the service being DOSed.
>
> The other possibility I found is to write my own userspace QUEUE target
> connection rate tracker via the iptables api. But as I'm not a programmer
> and I think this is a quite common request I just wonder:
>
> Hasn't allready somebody written such a per source connection rate
> limmiter?
>
Have you tried hashlimit ?
ex1. ( not tested ):
# seems that hashlimit doesn't support negation ( "!" )
# example way to achieve the same result:
iptables -t raw -N ANTIDOS
iptables -t raw -A ANTIDOS -m hashlimit --hashlimit 5/s \
--hashlimit-name limitDoS --hashlimit-mode srcip,dstport -j ACCEPT
iptables -t raw -A ANTIDOS -j DROP
iptables -t raw -A PREROUTING -i eth0 -p tcp --syn -j ANTIDOS
Another idea is to add "bad" IPs to recent list and then drop all traffic from
them for example for 12 hours.
You could also use connlimit.
--
Jakub Wartak
-vnull
FreeBSD/OpenBSD/Linux/Solaris/Network Administrator
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-08-30 23:03 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-30 12:40 max-src-conn-rate (Connection rate throttling per IP) Benoit Panizzon
2005-08-30 12:59 ` Jakub Wartak
2005-08-30 13:03 ` Sascha Reissner
2005-08-30 23:03 ` Taylor, Grant
2005-08-30 13:07 ` Jakub Wartak
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.