Re: ddos / no connection tracking / tarpitting

[Fabien Germain <fabien.germain@gmail.com>]

As Ron explained, the problem with DoS is not the firewall (iptables
or not), but the pipe size. I also had a few DDoS, and the OpenBSD
firewall never had any trouble... but I had a pipe saturation :-(

Fabien
-- 
fabien (at) klipz (dot) fr
http://www.klipz.fr


On 4/23/05, Seferovic Edvin <edvin.seferovic@kolp.at> wrote:
> Hi,
> 
> my partner company has implemented a really good DdoS protection that is
> able to process more than 3mil packets/sec. Beside of that fact, the
> appliance has web interface where you can track the load on your connection
> as well as block some ips or ip ranges that are attacking your server. If
> you are interested, I could send you a information folder.
> 
> Regards,
> 
> Edvin Seferovic
> 
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of R. DuFresne
> Sent: Freitag, 22. April 2005 23:13
> To: Taylor Grant
> Cc: Vic N; netfilter@lists.netfilter.org
> Subject: Re: ddos / no connection tracking / tarpitting
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> the only way to really survive a ddos without affecting connectivity in
> any shapoe or form is to have a bigger pipe then the other end<s> does.
> idiots trying to ddos from a cable connection or dialup are not a problem
> and sufferable.  Those a tad higher in technical advancement with a bot
> net and tousands of zomies to attack from are likely to bring even the
> biggest pipes to a dead halt, at least getting in and our of the firewall
> gateway is impossible.  Traffic on the inside should be unaffected.
> 
> I've suffered attacks with a firewall not doing connection tracking and
> had no problems with either the firewall failing or suffereing a reboot.
> I have yet to suffer such an attack on a staeful firewall, but tend to
> think I should suffer no less with such a firewall in place as apposed to
> an the older mere packet filters I've been replacing over time.  Course,
> it helps to have enough RAM in the firewall in the firstplace...
> 
> pipes size and RAM, them be the keys to surviival.
> 
> Thanks,
> 
> Ron DuFresne
> 
> On Fri, 22 Apr 2005, Taylor Grant wrote:
> 
> >> A while ago I saw an iptables solution that was able to serve as an
> >> effective anti-ddos solution.   I didn't get to see under the hood, but
> >> the creator told me that the solution was essentially an iptables
> >> implementation with no connection tracking built in.  Allegedly, the fact
> 
> >> that no connection tracking was used enabled the the iptables to deal
> with
> >> a much higher volume of traffic w/o crashing.  He had also mentioned
> using
> >> packet counting (to count packets as they passed through since there was
> >> no way to keep track of them otherwise) and using tarpitting.
> >>
> >> While I can't attest to what the person told me, I do know the firewall
> >> was soaking up ddos traffic that was otherwise bringing servers to their
> >> knees with the use of regular connection-based firewalling.
> >>
> >> So my question is, is this the basic element of building a good anti-ddos
> 
> >> solution wtih iptables to address a *large* volume of ddos traffic to
> >> build iptables w/o connection tracking?
> >>
> >> Thanks,
> >
> > Yes this is possible and (I think) fairly easy to do.  As I have never
> done
> > this I can not tell you for sure, but this is what I would do if I were to
> do
> > such a thing.
> >
> > I will presume that you are wanting to drop all traffic to a specif port
> on
> > an IP address for the sake of this discussion.
> >
> > iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j NOTRACK
> > iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT
> >
> > This will cause any traffic that comes in that is distend to 1.2.3.4 on
> port
> > 5678 to  NOT be tracked with the connecting tracking sub system and to
> > subsequently be redirected to the TARPIT target.
> >
> >
> >
> > Grant. . . .
> >
> 
> - --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>          admin & senior security consultant:  sysinfo.com
>                          http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629
> 
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
> 
>                  -Tom Robbins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFCaWjtst+vzJSwZikRAu6hAJ496gLuwc31uc2uiCNXzbk3AMA1SQCdEXNI
> VfK1Yh+17fGQV6Qb6gRF8Zc=
> =sgu8
> -----END PGP SIGNATURE-----
> 
>