service attacks (DoS) - Askar Ali Khan

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Askar Ali Khan <askarali@gmail.com>
To: netfilter <netfilter@lists.netfilter.org>
Subject: service attacks (DoS)
Date: Thu, 19 Aug 2004 17:47:49 +0500	[thread overview]
Message-ID: <a0f69e5040819054736ace4f6@mail.gmail.com> (raw)

hi,

im try to protect my server from various type of DoS for example
Syn-flood protection,  Furtive port scanner, Ping of death. Its our
server B protected by firewall machine A.

client traffic follow A-------------->B
                          (fw)              (server)

what I did first to log packets on Server B to check with (thanks to Anthony)

# To log avoid various denial of service attacks (DoS) with a faster
rate to increase responsiveness
iptables -N LogPackets

# Call the chain right at the top of the INPUT table so we see all the packets
iptables -I INPUT -j LogPackets

# Create a unique log entry for each type of packet we want to know about
##Syn-flood protection
iptables -A LogPackets -p tcp --syn -m limit --limit 1/s  -j LOG
--log-prefix "Syn-flood "

## Furtive port scanner
iptables -A LogPackets -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 1/s -j LOG --log-prefix "Furtive port scanner "

## Ping of death
iptables -A LogPackets -p icmp --icmp-type echo-request -m limit
--limit 1/s -j LOG --log-prefix "Ping of death "

when i do "iptables -L LogPackets -nvx" im getting lot of  new packets/s

 iptables -L LogPackets -nvx
Chain LogPackets (1 references)
    pkts      bytes target     prot opt in     out     source         
     destination
      25     1248 LOG        tcp  --  *      *       0.0.0.0/0        
   0.0.0.0/0           tcp flags:0x16/0x02 limit: avg 1/sec burst 5
LOG flags 0 level 4 prefix `Syn-flood '
      24      960 LOG        tcp  --  *      *       0.0.0.0/0        
   0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5
LOG flags 0 level 4 prefix `Furtive port scanner '
       3      192 LOG        icmp --  *      *       0.0.0.0/0        
   0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags
0 level 4 prefix `Ping of death '

My question: 
1)                 what exactly im not getting is  "-m limit --limit
1/s", what values to set for my enviroment, with 100 users connected
at any time?

2) ACCEPTed or DROPed ?

regards
Askar

next             reply	other threads:[~2004-08-19 12:47 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-08-19 12:47 Askar Ali Khan [this message]
2004-08-19 13:31 ` service attacks (DoS) Nick Drage

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a0f69e5040819054736ace4f6@mail.gmail.com \
    --to=askarali@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.