DoS attack mitigation in netfilter

DoS attack mitigation in netfilter

[Vikas]

Hi,

Wanted to explore options netfilter provides to mitigate DoS/SYN attacks.
Even if there is mechanism to incorporate rate limiter solution for high 
incoming volume traffic then it would help.

Any input in this regard will be appreciated.

Regards
Vikas

Re: DoS attack mitigation in netfilter

[Eric Dumazet]

On Wed, 2016-07-06 at 10:06 +0530, Vikas wrote:
> Hi,
> 
> Wanted to explore options netfilter provides to mitigate DoS/SYN attacks.
> Even if there is mechanism to incorporate rate limiter solution for high 
> incoming volume traffic then it would help.
> 
> Any input in this regard will be appreciated.

SYN attacks are no longer a problem with current linux kernels.

(linux-4.7 can really absorb about 6Mpps SYN on a single listener, and
more for SO_REUSEPORT enabled listeners)

There is absolutely nothing you can do for a SYN attack, especially not
trying to rate limit it, as you might drop valid SYN packets and thus
hurt real users.

It is simply best to deal with it, as for other kinds of attacks.

Writing metadata to a packet

[Vikas]

Hi,

I was wondering if how we can set some user specified values when we 
punt a packet from source to destination in a infrastructure which uses 
netfilter? More precisely at the source side so that when packet reaches 
destination host, it can decode the metadata values.
Is their a way out? Any pointer/link would be appreciated.

Regards
Vikas

Re: Writing metadata to a packet

[Patrick Schaaf]

Hi Vikas,

in a very controlled environment, loadbalancer to real servers, I'm
doing that using the IP TOS / DSCP header bits - manipulating them
using the TOS target, on the loadbalancer, in mangle/PREROUTING rules,
and matching them using the tos match on the realservers (nat
PREROUTING) to effect REDIRECT to different local ports (various
apache listening ports).

Not for the faint of heart...

There is no nice wide standard "I've got these bits to freely set and
get them to arbitrary destinations" mechanism on the IP or TCP layer.
netfilter can't invent such...

best regards
  Patrick


On Fri, Mar 31, 2017 at 7:16 AM, Vikas <vikas.c.kumar@oracle.com> wrote:
> Hi,
>
> I was wondering if how we can set some user specified values when we punt a
> packet from source to destination in a infrastructure which uses netfilter?
> More precisely at the source side so that when packet reaches destination
> host, it can decode the metadata values.
> Is their a way out? Any pointer/link would be appreciated.
>
> Regards
> Vikas
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html