From: alvin.ml@Mail.DDoS-Mitigator.net
To: Josh Day <conna666@gmail.com>
Cc: netfilter@vger.kernel.org, alvin.ml@Mail.DDoS-Mitigator.net
Subject: Re: iptables TCP DDoS filtering
Date: Tue, 5 Jul 2016 12:08:49 -0700 [thread overview]
Message-ID: <20160705190849.GA26405@Mail.DDoS-Mitigator.net> (raw)
In-Reply-To: <loom.20160705T084958-392@post.gmane.org>
On 07/05/16 at 06:53am, Josh Day wrote:
> I'm curious if anyone of you has read this article
> https://javapipe.com/iptables-ddos-protection and tried any of the
> rules/settings. I read it today but I'm not sure what to make of it, so
> thought you guys could maybe share your opinion.
i've seen/read most of the various articles/howto/snipplets of using
iptables for ddos mitigation .. the list of various iptables howto
for ddos mitigation at the bottom of http://iptables-blacklist.net/Howto
some of the rules in javapipe.com seems way tooo complicated ...
( i think pre-routing and post-routing is un-necessary )
#
# more importantly, the iptables rules in javapipe is incomplete and
# "droping" packets is NOT ddos mitigation because you already received
# the packets.
#
the sysctl variables should be tuned per your server, cpu/mem, bandwidth,
and amt and type of DDoS attacks
i keep wondering which of the big brand-name ddos mitigation appliances
are using iptables under the hood ( under their "propritory os" )
i claim iptables + tarpit is ideal to defend against tcp-based ddos
attacks ... the attacking zombie-host has to sit and wait the
tcp-timeout .. there are roughly 65,535 tcp-ports that should
be protected with tarpits :-) .. how one builds the LAMP servers
and how the network infrastrucure is configugred greatly affects
your ability to mitigate tcp-based ddos attacks
---
i think that dropping or limiting icmp-based or udp-based attacks are
pointless since you've already received the ddos packets
udp-based and icmp-based attacks must be mitigated at the uplink ISP
and not at the server under attack
also, limiting incoming is sorta misleading, since you cannot
limit/stop/block/drop incoming packets. you can only limit which
of the incoming packets you are replying to
there are some icmp-packets you should reply to while ignoring
un-necessary and un-used udp services
there are some udp-packets you should reply to while ignoring
un-necessary and un-used udp services
magic pixie dust
alvin
#
# DDoS-Mitigator.net ... automated tcp-based iptables + tarpits
# DDoS-Simulator.net
#
next prev parent reply other threads:[~2016-07-05 19:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-05 6:53 iptables TCP DDoS filtering Josh Day
2016-07-05 19:08 ` alvin.ml [this message]
2016-07-06 7:07 ` John Wayne
2016-07-06 15:16 ` alvin.ml
2016-07-05 20:51 ` Neal P. Murphy
2016-07-06 8:29 ` Antonio Prado
2016-07-06 14:21 ` alvin.ml
2016-07-06 15:36 ` Antonio Prado
2016-07-06 17:45 ` alvin.ml
2016-07-06 19:13 ` Neal P. Murphy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160705190849.GA26405@Mail.DDoS-Mitigator.net \
--to=alvin.ml@mail.ddos-mitigator.net \
--cc=conna666@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox