* iptables based appliances
@ 2015-06-07 15:04 alvin
2015-06-07 19:51 ` Neal P. Murphy
0 siblings, 1 reply; 4+ messages in thread
From: alvin @ 2015-06-07 15:04 UTC (permalink / raw)
To: netfilter; +Cc: alvin
hi netfilter ml
i was curious,
does anybody know which ddos appliances uses IPtables to
mitigate incoming ddos attacks ?
----
in the past few years, i've tarpit'd about 10,000 IP# of DDoS attackers
on a little ole box ( EPIA-800 w/ 1GB of memory ) and it barely
can handle the load ... but than again, 10,000 iptables entries
is fairly steep and semi-ridiculous :-)
http://networknightmare.net/Tarpits/#Install
even if the src IP# might be spoof'd, you, i still do NOT want those
incoming DDoS attacks coming in at 1,000 or 10,000 packets per second
iptables + tarpit is a good way to defend against incoming TCP-based attacks
which includes SSH attacks, SMTP attacks, http attacks, etc
--
thanx
alvin.sm-at-Linux-Consulting.com
alvin-at-DDoS-Mitigator.net === mitigate incoming TCP-based attacks
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables based appliances
2015-06-07 15:04 iptables based appliances alvin
@ 2015-06-07 19:51 ` Neal P. Murphy
2015-06-08 14:02 ` iptables based appliances - ipset alvin
0 siblings, 1 reply; 4+ messages in thread
From: Neal P. Murphy @ 2015-06-07 19:51 UTC (permalink / raw)
To: netfilter
On Sun, 7 Jun 2015 08:04:40 -0700 (PDT)
alvin <alvin.sm@Mail.Linux-Consulting.com> wrote:
>
> hi netfilter ml
>
> i was curious,
>
> does anybody know which ddos appliances uses IPtables to
> mitigate incoming ddos attacks ?
>
> ----
>
> in the past few years, i've tarpit'd about 10,000 IP# of DDoS
> attackers on a little ole box ( EPIA-800 w/ 1GB of memory ) and it
> barely can handle the load ... but than again, 10,000 iptables
> entries is fairly steep and semi-ridiculous :-)
>
> http://networknightmare.net/Tarpits/#Install
>
> even if the src IP# might be spoof'd, you, i still do NOT want those
> incoming DDoS attacks coming in at 1,000 or 10,000 packets per second
Yes, 1000 rules is a little overboard.
Have you tried ipset? Last I knew, it becomes more efficient than
individual rules when there are more than 16 IPs to check.
N
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables based appliances - ipset
2015-06-07 19:51 ` Neal P. Murphy
@ 2015-06-08 14:02 ` alvin
2015-06-08 16:02 ` Neal P. Murphy
0 siblings, 1 reply; 4+ messages in thread
From: alvin @ 2015-06-08 14:02 UTC (permalink / raw)
To: Neal P. Murphy; +Cc: netfilter, alvin
hi neal
> On Sun, 7 Jun 2015 08:04:40 -0700 (PDT)
....
> > even if the src IP# might be spoof'd, you, i still do NOT want those
> > incoming DDoS attacks coming in at 1,000 or 10,000 packets per second
>
> Yes, 1000 rules is a little overboard.
and if there's 10,000 iptables rules, it's galacticly overboard ?
- it was also a test to see if iptables would fail
and it didnt seem to break iptables
> Have you tried ipset? Last I knew, it becomes more efficient than
> individual rules when there are more than 16 IPs to check.
ipset is on the todo list ... but since most of the heavy DDoS attackers,
5,000 or ddos packets per hour, that i see are using just 1 ip# out of
thier class-C, i thought ipset might not work as good since there's
no "classC" to tarpit ...
i'd assume the script kiddies are the ones using the zombie hosts at
*.11 *.12 *.13 *.14 doing silly things like portscans
my other iptables todo would be to AutoExpire the DDoS attackers
to minimize the list of active ddos attackers ... manually deleting
the attackers that went away is for the birds :-)
iptables -N AutoExpire
iptables -p tcp -A AutoExpire attacker0001
iptables -p tcp -A AutoExpire attacker0002
iptables -p tcp -A AutoExpire attacker0003
iptables -p tcp -A AutoExpire attacker2000 # 2,000 ddos attackers
...
# tarpit if still attacking within 24hrs
iptables -p tcp ... -m recent --name AutoExpire --rcheck --seconds 86400 -j TARPIT
iptables -p tcp ... -m recent --name AutoExpire --remove
iptables -p tcp ... -m recent --name AutoExpire --set -j TARPIT
one day, i will need to sit down figure out the --remove syntax
for 5,000 DDoS attackers
thanx
alvin
IPtables-BlackList.net
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables based appliances - ipset
2015-06-08 14:02 ` iptables based appliances - ipset alvin
@ 2015-06-08 16:02 ` Neal P. Murphy
0 siblings, 0 replies; 4+ messages in thread
From: Neal P. Murphy @ 2015-06-08 16:02 UTC (permalink / raw)
To: alvin; +Cc: netfilter
On Mon, 8 Jun 2015 07:02:12 -0700 (PDT)
alvin <alvin.sm@Mail.Linux-Consulting.com> wrote:
>
> hi neal
>
> > On Sun, 7 Jun 2015 08:04:40 -0700 (PDT)
> ....
> > > even if the src IP# might be spoof'd, you, i still do NOT want
> > > those incoming DDoS attacks coming in at 1,000 or 10,000 packets
> > > per second
> >
> > Yes, 1000 rules is a little overboard.
>
> and if there's 10,000 iptables rules, it's galacticly overboard ?
>
> - it was also a test to see if iptables would fail
> and it didnt seem to break iptables
A few years ago, I tested iptables and a similar program. I used each
to add 250 000 rules (don't remember if I tried 1M). I found they had
to be added in batches of 15 000 to 20 000. (And it turned out that the
other program took about 5% less time than iptables to complete.)
> ...
> my other iptables todo would be to AutoExpire the DDoS attackers
> to minimize the list of active ddos attackers ... manually deleting
> the attackers that went away is for the birds :-)
IIRC, ipset has a way to auto-expire entries; I think it is a set
setting.
N
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-06-08 16:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-07 15:04 iptables based appliances alvin
2015-06-07 19:51 ` Neal P. Murphy
2015-06-08 14:02 ` iptables based appliances - ipset alvin
2015-06-08 16:02 ` Neal P. Murphy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).