From: "Tony.Ho" <support@idccenter.cn>
To: Ric Messier <kilroy@WasHere.COM>, netfilter@lists.netfilter.org
Subject: Re: syn DDoS attack solution
Date: Fri, 01 Jun 2007 09:20:26 +0800 [thread overview]
Message-ID: <465F745A.7040603@idccenter.cn> (raw)
In-Reply-To: <015e01c7a3bf$64fbe7e0$2ef3b7a0$@COM>
I have a thought about this.
I can use ipset and iptables on a bridge firewall.
ipt_recent module compares the SYN package and ACK package's TTL. If not
match then drop.
ipt_hashlimit module stores the concurrent connections. When the
connections exceed the threshold iptables would store the IP in ipset.
ipset's iptree modules can store the IP in a fixed time. When a IP which
is in the iptree's list comes the firewall iptables would TARPIT its tcp
connection.
Is this setting effective?
Ric Messier wrote:
> Bgs writes:
>
>> We recently got under a low traffic botnet DDoS attack. All attacker
>> nodes opened a single tcp session (just SYN part) and then did nothing.
>> This rules out rate limiting solutions and syncookie doesn't help
>> either. (Thousands of attacking nodes).
>>
>>
>
> This is simply a SYN flood attack. It may or may not be a botnet (though
> saying botnet makes it sound sexier :-) ). A decent SYN flood attack tool
> would randomize the source address anyway.
>
> You should try reading the following as a starting point:
>
> http://www.securityfocus.com/infocus/1729
>
> Your second suggestion has been implemented in the TCP/IP stack forever. The
> article above gives guidance on how to tune it in a Linux implementation.
>
> Ric
>
>
>
>
next prev parent reply other threads:[~2007-06-01 1:20 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-31 16:19 syn DDoS attack solution Bgs
2007-05-31 19:57 ` R. DuFresne
2007-06-01 9:45 ` Bgs
2007-05-31 20:08 ` Ric Messier
2007-06-01 1:20 ` Tony.Ho [this message]
2007-06-01 9:44 ` Bgs
2007-06-01 15:01 ` Ric Messier
2007-06-01 15:37 ` Bgs
2007-06-02 19:07 ` R. DuFresne
2007-06-04 14:22 ` Ric Messier
2007-06-04 17:24 ` Martin McKeay
2007-06-04 23:16 ` R. DuFresne
2007-06-05 8:29 ` Bgs
2007-06-05 14:16 ` Steven M Campbell
2007-06-05 15:22 ` ..prevention, was: " Arnt Karlsen
2007-06-05 15:40 ` Steven M Campbell
2007-06-05 15:40 ` Steven M Campbell
2007-06-05 18:34 ` Arnt Karlsen
2007-06-07 18:41 ` Martin McKeay
2007-06-08 1:40 ` Arnt Karlsen
2007-06-12 18:10 ` Martin McKeay
2007-06-12 22:44 ` R. DuFresne
2007-06-13 14:24 ` Martin McKeay
2007-06-13 17:26 ` Arnt Karlsen
2007-06-13 17:44 ` Martin McKeay
2007-06-14 19:43 ` R. DuFresne
2007-06-14 20:13 ` supportnew
2007-06-01 21:34 ` Martijn Lievaart
2007-06-01 21:37 ` Martijn Lievaart
2007-06-01 21:38 ` Ric Messier
2007-06-01 23:09 ` Ethy H. Brito
2007-06-19 18:22 ` R. DuFresne
2007-06-19 22:19 ` Robert Nichols
2007-06-19 23:02 ` Pascal Hambourg
2007-06-21 18:26 ` R. DuFresne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=465F745A.7040603@idccenter.cn \
--to=support@idccenter.cn \
--cc=kilroy@WasHere.COM \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.