ddos / no connection tracking / tarpitting

ddos / no connection tracking / tarpitting

[Vic N]

A while ago I saw an iptables solution that was able to serve as an 
effective anti-ddos solution.   I didn't get to see under the hood, but the 
creator told me that the solution was essentially an iptables implementation 
with no connection tracking built in.  Allegedly, the fact that no 
connection tracking was used enabled the the iptables to deal with a much 
higher volume of traffic w/o crashing.  He had also mentioned using packet 
counting (to count packets as they passed through since there was no way to 
keep track of them otherwise) and using tarpitting.

While I can't attest to what the person told me, I do know the firewall was 
soaking up ddos traffic that was otherwise bringing servers to their knees 
with the use of regular connection-based firewalling.

So my question is, is this the basic element of building a good anti-ddos 
solution wtih iptables to address a *large* volume of ddos traffic to build 
iptables w/o connection tracking?

Thanks,

Re: ddos / no connection tracking / tarpitting

[Jason Opperisano]

On Thu, Apr 21, 2005 at 09:19:43PM -0700, Vic N wrote:
> A while ago I saw an iptables solution that was able to serve as an 
> effective anti-ddos solution.   I didn't get to see under the hood, but the 
> creator told me that the solution was essentially an iptables 
> implementation with no connection tracking built in.  Allegedly, the fact 
> that no connection tracking was used enabled the the iptables to deal with 
> a much higher volume of traffic w/o crashing.  He had also mentioned using 
> packet counting (to count packets as they passed through since there was no 
> way to keep track of them otherwise) and using tarpitting.
> 
> While I can't attest to what the person told me, I do know the firewall was 
> soaking up ddos traffic that was otherwise bringing servers to their knees 
> with the use of regular connection-based firewalling.
> 
> So my question is, is this the basic element of building a good anti-ddos 
> solution wtih iptables to address a *large* volume of ddos traffic to build 
> iptables w/o connection tracking?

that...or installing openbsd.

-j

--
"Psychiatrist: Does Stewie have a history of violence?
 Lois: Oh no, this is Stewie's first violent act.
 Stewie: Actually, my first violent act involved that ticking time bomb
 that I left in your uterus when I left. Happy 50th Birthday, Lois."
        --Family Guy

Re: ddos / no connection tracking / tarpitting

[Taylor Grant]

> that...or installing openbsd.

I have never messed with OpenBSD in ANY way shape or form.  Can you offer any comparisons on OpenBSD's firewall capabilities to Linux's IPTables?



Grant. . . .

Re: ddos / no connection tracking / tarpitting

[Jason Opperisano]

On Thu, Apr 21, 2005 at 11:45:46PM -0500, Taylor Grant wrote:
> >that...or installing openbsd.
> 
> I have never messed with OpenBSD in ANY way shape or form.  Can you offer 
> any comparisons on OpenBSD's firewall capabilities to Linux's IPTables?

(note to self--this is why we don't post to public mailing lists while
drinking)

somehow--i knew this would illicit a response from you.  as i am not
sure that this is the proper forum for such a discussion, i will only
say this:

openbsd is where old BOFH's turn when all hope has been lost...and
their faith is renewed eternal, thus completing the circle of life...err
network administration.

-j

--
"Peter: You know, I oughta just give you some beer. Goes straight
 through you.
 Stewie: Wonderful. And while we're at it, we can light up a doobie and
 watch porn.
 Peter: Eh... yeah?"
        --Family Guy

Re: ddos / no connection tracking / tarpitting

[Taylor Grant]

> A while ago I saw an iptables solution that was able to serve as an 
> effective anti-ddos solution.   I didn't get to see under the hood, but 
> the creator told me that the solution was essentially an iptables 
> implementation with no connection tracking built in.  Allegedly, the 
> fact that no connection tracking was used enabled the the iptables to 
> deal with a much higher volume of traffic w/o crashing.  He had also 
> mentioned using packet counting (to count packets as they passed through 
> since there was no way to keep track of them otherwise) and using 
> tarpitting.
> 
> While I can't attest to what the person told me, I do know the firewall 
> was soaking up ddos traffic that was otherwise bringing servers to their 
> knees with the use of regular connection-based firewalling.
> 
> So my question is, is this the basic element of building a good 
> anti-ddos solution wtih iptables to address a *large* volume of ddos 
> traffic to build iptables w/o connection tracking?
> 
> Thanks,

Yes this is possible and (I think) fairly easy to do.  As I have never done this I can not tell you for sure, but this is what I would do if I were to do such a thing.

I will presume that you are wanting to drop all traffic to a specif port on an IP address for the sake of this discussion.

iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j NOTRACK
iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT

This will cause any traffic that comes in that is distend to 1.2.3.4 on port 5678 to  NOT be tracked with the connecting tracking sub system and to subsequently be redirected to the TARPIT target.



Grant. . . .

Re: ddos / no connection tracking / tarpitting

[Jozsef Kadlecsik]

On Fri, 22 Apr 2005, Taylor Grant wrote:

> > So my question is, is this the basic element of building a good
> > anti-ddos solution wtih iptables to address a *large* volume of ddos
> > traffic to build iptables w/o connection tracking?
>
> Yes this is possible and (I think) fairly easy to do.  As I have never done this I can not tell you for sure, but this is what I would do if I were to do such a thing.
>
> I will presume that you are wanting to drop all traffic to a specif port on an IP address for the sake of this discussion.
>
> iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j NOTRACK
> iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT
>
> This will cause any traffic that comes in that is distend to 1.2.3.4 on port 5678 to  NOT be tracked with the connecting tracking sub system and to subsequently be redirected to the TARPIT target.

You *must* use the rule

iptables -t raw -A PREROUTING -s 1.2.3.4 -p tcp --sport 5678 -j NOTRACK

as well, otherwise conntrack will pick up the reply packets from the
TARPIT target.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ddos / no connection tracking / tarpitting

[Taylor Grant]

> You *must* use the rule
> 
> iptables -t raw -A PREROUTING -s 1.2.3.4 -p tcp --sport 5678 -j NOTRACK
> 
> as well, otherwise conntrack will pick up the reply packets from the
> TARPIT target.

Very good point.

RE: ddos / no connection tracking / tarpitting

[Gary W. Smith]

I've got an old p3, 800mhz 1u server with 128mb ram running tarpit with
two external IP's (one low and one high).  This way up/down, down/up
scans all get hung.  It answers on most external ports.  One thing
though, you need to tell it to ignore the broadcast.  When I take the
firewall and bring it back up we have seen some problems (when it starts
it's arp advertisements).

I've also played with mirring SMTP and HTTP but tarpit'ing seems to work
the best.

Has been working fine for some time...


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jozsef
Kadlecsik
Sent: Thursday, April 21, 2005 11:50 PM
To: Taylor Grant
Cc: Vic N; netfilter@lists.netfilter.org
Subject: Re: ddos / no connection tracking / tarpitting

On Fri, 22 Apr 2005, Taylor Grant wrote:

> > So my question is, is this the basic element of building a good
> > anti-ddos solution wtih iptables to address a *large* volume of ddos
> > traffic to build iptables w/o connection tracking?
>
> Yes this is possible and (I think) fairly easy to do.  As I have never
done this I can not tell you for sure, but this is what I would do if I
were to do such a thing.
>
> I will presume that you are wanting to drop all traffic to a specif
port on an IP address for the sake of this discussion.
>
> iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j
NOTRACK
> iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT
>
> This will cause any traffic that comes in that is distend to 1.2.3.4
on port 5678 to  NOT be tracked with the connecting tracking sub system
and to subsequently be redirected to the TARPIT target.

You *must* use the rule

iptables -t raw -A PREROUTING -s 1.2.3.4 -p tcp --sport 5678 -j NOTRACK

as well, otherwise conntrack will pick up the reply packets from the
TARPIT target.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

RE: ddos / no connection tracking / tarpitting

[Gary W. Smith]

Anyone else getting errors when sending to Jozsef on this list.  It's
the only site that has rejected my mail.

The following recipient(s) could not be reached:

      Jozsef Kadlecsik on 4/22/2005 12:02 AM
            There was a SMTP communication problem with the recipient's
email server.  Please contact your system administrator.
            <pxtvjoexd01.pxt.primeexalia.com #5.5.0 smtp;550
<user-119bnnu.biz.mindspring.com[66.149.222.254]>: Client host rejected:
Access denied. Your site is banned because of the unsolicited mail
messages received from it.>


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Gary W.
Smith
Sent: Friday, April 22, 2005 12:02 AM
To: Jozsef Kadlecsik; Taylor Grant
Cc: Vic N; netfilter@lists.netfilter.org
Subject: RE: ddos / no connection tracking / tarpitting

I've got an old p3, 800mhz 1u server with 128mb ram running tarpit with
two external IP's (one low and one high).  This way up/down, down/up
scans all get hung.  It answers on most external ports.  One thing
though, you need to tell it to ignore the broadcast.  When I take the
firewall and bring it back up we have seen some problems (when it starts
it's arp advertisements).

I've also played with mirring SMTP and HTTP but tarpit'ing seems to work
the best.

Has been working fine for some time...


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jozsef
Kadlecsik
Sent: Thursday, April 21, 2005 11:50 PM
To: Taylor Grant
Cc: Vic N; netfilter@lists.netfilter.org
Subject: Re: ddos / no connection tracking / tarpitting

On Fri, 22 Apr 2005, Taylor Grant wrote:

> > So my question is, is this the basic element of building a good
> > anti-ddos solution wtih iptables to address a *large* volume of ddos
> > traffic to build iptables w/o connection tracking?
>
> Yes this is possible and (I think) fairly easy to do.  As I have never
done this I can not tell you for sure, but this is what I would do if I
were to do such a thing.
>
> I will presume that you are wanting to drop all traffic to a specif
port on an IP address for the sake of this discussion.
>
> iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j
NOTRACK
> iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT
>
> This will cause any traffic that comes in that is distend to 1.2.3.4
on port 5678 to  NOT be tracked with the connecting tracking sub system
and to subsequently be redirected to the TARPIT target.

You *must* use the rule

iptables -t raw -A PREROUTING -s 1.2.3.4 -p tcp --sport 5678 -j NOTRACK

as well, otherwise conntrack will pick up the reply packets from the
TARPIT target.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ddos / no connection tracking / tarpitting

[Taylor Grant]

Gary W. Smith wrote:
> Anyone else getting errors when sending to Jozsef on this list.  It's
> the only site that has rejected my mail.
> 
> The following recipient(s) could not be reached:
> 
>       Jozsef Kadlecsik on 4/22/2005 12:02 AM
>             There was a SMTP communication problem with the recipient's
> email server.  Please contact your system administrator.
>             <pxtvjoexd01.pxt.primeexalia.com #5.5.0 smtp;550
> <user-119bnnu.biz.mindspring.com[66.149.222.254]>: Client host rejected:
> Access denied. Your site is banned because of the unsolicited mail
> messages received from it.>

No, can't say as I have.  However it looks like your IP address (66.149.222.254) has been banned by the receiving server.  I just pulled that from the header of the email that I am replying to.  You might want to check to see if you are black listed any where.



Grant. . . .

RE: ddos / no connection tracking / tarpitting

[Jozsef Kadlecsik]

On Fri, 22 Apr 2005, Gary W. Smith wrote:

> Anyone else getting errors when sending to Jozsef on this list.  It's
> the only site that has rejected my mail.
>
> The following recipient(s) could not be reached:
>
>       Jozsef Kadlecsik on 4/22/2005 12:02 AM
>             There was a SMTP communication problem with the recipient's
> email server.  Please contact your system administrator.
>             <pxtvjoexd01.pxt.primeexalia.com #5.5.0 smtp;550
> <user-119bnnu.biz.mindspring.com[66.149.222.254]>: Client host rejected:
> Access denied. Your site is banned because of the unsolicited mail
> messages received from it.>

That's due to the heavy spam filtering at our site.

I have whitelisted your E-mail address.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ddos / no connection tracking / tarpitting

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


the only way to really survive a ddos without affecting connectivity in 
any shapoe or form is to have a bigger pipe then the other end<s> does. 
idiots trying to ddos from a cable connection or dialup are not a problem 
and sufferable.  Those a tad higher in technical advancement with a bot 
net and tousands of zomies to attack from are likely to bring even the 
biggest pipes to a dead halt, at least getting in and our of the firewall 
gateway is impossible.  Traffic on the inside should be unaffected.

I've suffered attacks with a firewall not doing connection tracking and 
had no problems with either the firewall failing or suffereing a reboot. 
I have yet to suffer such an attack on a staeful firewall, but tend to 
think I should suffer no less with such a firewall in place as apposed to 
an the older mere packet filters I've been replacing over time.  Course, 
it helps to have enough RAM in the firewall in the firstplace...

pipes size and RAM, them be the keys to surviival.

Thanks,

Ron DuFresne

On Fri, 22 Apr 2005, Taylor Grant wrote:

>> A while ago I saw an iptables solution that was able to serve as an 
>> effective anti-ddos solution.   I didn't get to see under the hood, but 
>> the creator told me that the solution was essentially an iptables 
>> implementation with no connection tracking built in.  Allegedly, the fact 
>> that no connection tracking was used enabled the the iptables to deal with 
>> a much higher volume of traffic w/o crashing.  He had also mentioned using 
>> packet counting (to count packets as they passed through since there was 
>> no way to keep track of them otherwise) and using tarpitting.
>> 
>> While I can't attest to what the person told me, I do know the firewall 
>> was soaking up ddos traffic that was otherwise bringing servers to their 
>> knees with the use of regular connection-based firewalling.
>> 
>> So my question is, is this the basic element of building a good anti-ddos 
>> solution wtih iptables to address a *large* volume of ddos traffic to 
>> build iptables w/o connection tracking?
>> 
>> Thanks,
>
> Yes this is possible and (I think) fairly easy to do.  As I have never done 
> this I can not tell you for sure, but this is what I would do if I were to do 
> such a thing.
>
> I will presume that you are wanting to drop all traffic to a specif port on 
> an IP address for the sake of this discussion.
>
> iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j NOTRACK
> iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT
>
> This will cause any traffic that comes in that is distend to 1.2.3.4 on port 
> 5678 to  NOT be tracked with the connecting tracking sub system and to 
> subsequently be redirected to the TARPIT target.
>
>
>
> Grant. . . .
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCaWjtst+vzJSwZikRAu6hAJ496gLuwc31uc2uiCNXzbk3AMA1SQCdEXNI
VfK1Yh+17fGQV6Qb6gRF8Zc=
=sgu8
-----END PGP SIGNATURE-----

RE: ddos / no connection tracking / tarpitting

[Seferovic Edvin]

Hi,

my partner company has implemented a really good DdoS protection that is
able to process more than 3mil packets/sec. Beside of that fact, the
appliance has web interface where you can track the load on your connection
as well as block some ips or ip ranges that are attacking your server. If
you are interested, I could send you a information folder.

Regards,

Edvin Seferovic

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of R. DuFresne
Sent: Freitag, 22. April 2005 23:13
To: Taylor Grant
Cc: Vic N; netfilter@lists.netfilter.org
Subject: Re: ddos / no connection tracking / tarpitting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


the only way to really survive a ddos without affecting connectivity in 
any shapoe or form is to have a bigger pipe then the other end<s> does. 
idiots trying to ddos from a cable connection or dialup are not a problem 
and sufferable.  Those a tad higher in technical advancement with a bot 
net and tousands of zomies to attack from are likely to bring even the 
biggest pipes to a dead halt, at least getting in and our of the firewall 
gateway is impossible.  Traffic on the inside should be unaffected.

I've suffered attacks with a firewall not doing connection tracking and 
had no problems with either the firewall failing or suffereing a reboot. 
I have yet to suffer such an attack on a staeful firewall, but tend to 
think I should suffer no less with such a firewall in place as apposed to 
an the older mere packet filters I've been replacing over time.  Course, 
it helps to have enough RAM in the firewall in the firstplace...

pipes size and RAM, them be the keys to surviival.

Thanks,

Ron DuFresne

On Fri, 22 Apr 2005, Taylor Grant wrote:

>> A while ago I saw an iptables solution that was able to serve as an 
>> effective anti-ddos solution.   I didn't get to see under the hood, but 
>> the creator told me that the solution was essentially an iptables 
>> implementation with no connection tracking built in.  Allegedly, the fact

>> that no connection tracking was used enabled the the iptables to deal
with 
>> a much higher volume of traffic w/o crashing.  He had also mentioned
using 
>> packet counting (to count packets as they passed through since there was 
>> no way to keep track of them otherwise) and using tarpitting.
>> 
>> While I can't attest to what the person told me, I do know the firewall 
>> was soaking up ddos traffic that was otherwise bringing servers to their 
>> knees with the use of regular connection-based firewalling.
>> 
>> So my question is, is this the basic element of building a good anti-ddos

>> solution wtih iptables to address a *large* volume of ddos traffic to 
>> build iptables w/o connection tracking?
>> 
>> Thanks,
>
> Yes this is possible and (I think) fairly easy to do.  As I have never
done 
> this I can not tell you for sure, but this is what I would do if I were to
do 
> such a thing.
>
> I will presume that you are wanting to drop all traffic to a specif port
on 
> an IP address for the sake of this discussion.
>
> iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j NOTRACK
> iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT
>
> This will cause any traffic that comes in that is distend to 1.2.3.4 on
port 
> 5678 to  NOT be tracked with the connecting tracking sub system and to 
> subsequently be redirected to the TARPIT target.
>
>
>
> Grant. . . .
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCaWjtst+vzJSwZikRAu6hAJ496gLuwc31uc2uiCNXzbk3AMA1SQCdEXNI
VfK1Yh+17fGQV6Qb6gRF8Zc=
=sgu8
-----END PGP SIGNATURE-----

Re: ddos / no connection tracking / tarpitting

[Fabien Germain]

As Ron explained, the problem with DoS is not the firewall (iptables
or not), but the pipe size. I also had a few DDoS, and the OpenBSD
firewall never had any trouble... but I had a pipe saturation :-(

Fabien
-- 
fabien (at) klipz (dot) fr
http://www.klipz.fr


On 4/23/05, Seferovic Edvin <edvin.seferovic@kolp.at> wrote:
> Hi,
> 
> my partner company has implemented a really good DdoS protection that is
> able to process more than 3mil packets/sec. Beside of that fact, the
> appliance has web interface where you can track the load on your connection
> as well as block some ips or ip ranges that are attacking your server. If
> you are interested, I could send you a information folder.
> 
> Regards,
> 
> Edvin Seferovic
> 
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of R. DuFresne
> Sent: Freitag, 22. April 2005 23:13
> To: Taylor Grant
> Cc: Vic N; netfilter@lists.netfilter.org
> Subject: Re: ddos / no connection tracking / tarpitting
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> the only way to really survive a ddos without affecting connectivity in
> any shapoe or form is to have a bigger pipe then the other end<s> does.
> idiots trying to ddos from a cable connection or dialup are not a problem
> and sufferable.  Those a tad higher in technical advancement with a bot
> net and tousands of zomies to attack from are likely to bring even the
> biggest pipes to a dead halt, at least getting in and our of the firewall
> gateway is impossible.  Traffic on the inside should be unaffected.
> 
> I've suffered attacks with a firewall not doing connection tracking and
> had no problems with either the firewall failing or suffereing a reboot.
> I have yet to suffer such an attack on a staeful firewall, but tend to
> think I should suffer no less with such a firewall in place as apposed to
> an the older mere packet filters I've been replacing over time.  Course,
> it helps to have enough RAM in the firewall in the firstplace...
> 
> pipes size and RAM, them be the keys to surviival.
> 
> Thanks,
> 
> Ron DuFresne
> 
> On Fri, 22 Apr 2005, Taylor Grant wrote:
> 
> >> A while ago I saw an iptables solution that was able to serve as an
> >> effective anti-ddos solution.   I didn't get to see under the hood, but
> >> the creator told me that the solution was essentially an iptables
> >> implementation with no connection tracking built in.  Allegedly, the fact
> 
> >> that no connection tracking was used enabled the the iptables to deal
> with
> >> a much higher volume of traffic w/o crashing.  He had also mentioned
> using
> >> packet counting (to count packets as they passed through since there was
> >> no way to keep track of them otherwise) and using tarpitting.
> >>
> >> While I can't attest to what the person told me, I do know the firewall
> >> was soaking up ddos traffic that was otherwise bringing servers to their
> >> knees with the use of regular connection-based firewalling.
> >>
> >> So my question is, is this the basic element of building a good anti-ddos
> 
> >> solution wtih iptables to address a *large* volume of ddos traffic to
> >> build iptables w/o connection tracking?
> >>
> >> Thanks,
> >
> > Yes this is possible and (I think) fairly easy to do.  As I have never
> done
> > this I can not tell you for sure, but this is what I would do if I were to
> do
> > such a thing.
> >
> > I will presume that you are wanting to drop all traffic to a specif port
> on
> > an IP address for the sake of this discussion.
> >
> > iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j NOTRACK
> > iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT
> >
> > This will cause any traffic that comes in that is distend to 1.2.3.4 on
> port
> > 5678 to  NOT be tracked with the connecting tracking sub system and to
> > subsequently be redirected to the TARPIT target.
> >
> >
> >
> > Grant. . . .
> >
> 
> - --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>          admin & senior security consultant:  sysinfo.com
>                          http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629
> 
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
> 
>                  -Tom Robbins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFCaWjtst+vzJSwZikRAu6hAJ496gLuwc31uc2uiCNXzbk3AMA1SQCdEXNI
> VfK1Yh+17fGQV6Qb6gRF8Zc=
> =sgu8
> -----END PGP SIGNATURE-----
> 
>

Re: ddos / no connection tracking / tarpitting

[Taylor, Grant]

> the only way to really survive a ddos without affecting connectivity in 
> any shapoe or form is to have a bigger pipe then the other end<s> does. 
> idiots trying to ddos from a cable connection or dialup are not a 
> problem and sufferable.  Those a tad higher in technical advancement 
> with a bot net and tousands of zomies to attack from are likely to bring 
> even the biggest pipes to a dead halt, at least getting in and our of 
> the firewall gateway is impossible.  Traffic on the inside should be 
> unaffected.

One thing that I (personally) am trying to do (sort of) along these lines is to host a co-lo box at my ISP's facility and establish a GRE tunnel between my home system and this box and ultimately use an endpoint on this CO-LOed box as my default gateway.  This way I can set up QoS and specify what traffic is important to me and what has priority on what comes down my DSL pipe in a round about way.  Fortunetly I have an EXCELLENT working relationship, both professionally and personally, with my ISP and they would be willing to do such as well as drop any traffic that is destined to my DSL connection that did not come from the CO-LOed box.  This round about way would give me sufficient control over what traffic did flow down the DSL pipe to my house and thus mitigate DDoSing my DSL.  However seeing as my ISP only has 16 Mbps connection to the net it would not take much to DDoS them if it r
 eally came down to it.  But my DSL would not be DDoSed, just my ISP's upstream connection
.  I know that this is not a real elegant solution, but I never did say that it was, just something that might work.  ;)



Grant. . . .

Re: ddos / no connection tracking / tarpitting

[Daniel Lopes]

R. DuFresne schrieb:
> 
> the only way to really survive a ddos without affecting connectivity in 
> any shapoe or form is to have a bigger pipe then the other end<s> does. 
> idiots trying to ddos from a cable connection or dialup are not a 
> problem and sufferable.  Those a tad higher in technical advancement 
> with a bot net and tousands of zomies to attack from are likely to bring 
> even the biggest pipes to a dead halt, at least getting in and our of 
> the firewall gateway is impossible.  Traffic on the inside should be 
> unaffected.
> 
> I've suffered attacks with a firewall not doing connection tracking and 
> had no problems with either the firewall failing or suffereing a reboot. 
> I have yet to suffer such an attack on a staeful firewall, but tend to 
> think I should suffer no less with such a firewall in place as apposed 
> to an the older mere packet filters I've been replacing over time.  
> Course, it helps to have enough RAM in the firewall in the firstplace...
> 
> pipes size and RAM, them be the keys to surviival.
> 
> Thanks,
> 

That´s the point. With professional DDoS attacks we are talking about 
people using their botnets and zombies and in total they can reach a 
bandwidth beyond the Gbit border. Not really easy to handle such packet 
storm ;).