From: Sascha Reissner <sascha.reissner@toxicnet.de>
To: Benoit Panizzon <benoit.panizzon@imp.ch>
Cc: netfilter@lists.netfilter.org
Subject: Re: max-src-conn-rate (Connection rate throttling per IP)
Date: Tue, 30 Aug 2005 15:03:11 +0200 [thread overview]
Message-ID: <4314590F.7050804@toxicnet.de> (raw)
In-Reply-To: <200508301440.59667.benoit.panizzon@imp.ch>
Benoit Panizzon wrote:
> Hi all
>
> I'm looking for a way to prevent connection DOSing of specific services.
>
> The goal is to count the connection rate per conneting ip and then reject
> those connections if they pass a certain limit.
>
> It looks like OpenBSD's pf is the only packet filter (except some commerctial
> Firewalls) which has this ability.
>
> The best I managed with iptables is to throttle the connection rate for a
> specific port, but this of course affecs normal users trying to use that
> service and does not change the fact of the service being DOSed.
>
> The other possibility I found is to write my own userspace QUEUE target
> connection rate tracker via the iptables api. But as I'm not a programmer and
> I think this is a quite common request I just wonder:
>
> Hasn't allready somebody written such a per source connection rate limmiter?
>
> Is there a repository of different userspace QUEUE tools where I could find
> something similar?
>
> Regards
Uhm, why don't you just use features that are already built into
iptables? Like the following:
iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state
--state NEW -m recent --set
iptables -I INPUT -i <interface> -p <protocol> --dport <port> -m state
--state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
Just exchange <interface>, <protocol> and <port> and maybe the timspan
and hitcount. This will DROP incoming _new_ connections if they exceed
the counter in a given timeframe. It will resume accepting _new_
connection requests from the given source ip address once the counter to
timespan treshold does not get exceeded.
I use this to prevent simple scripts from bruteforcing my sshd.
Okay you might run into problems if people use forged source ip adresses
since this would also block _new_ connection requests from this ip.
If someone has a smarter idea - let me know.
Regards,
Sascha
next prev parent reply other threads:[~2005-08-30 13:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-30 12:40 max-src-conn-rate (Connection rate throttling per IP) Benoit Panizzon
2005-08-30 12:59 ` Jakub Wartak
2005-08-30 13:03 ` Sascha Reissner [this message]
2005-08-30 23:03 ` Taylor, Grant
2005-08-30 13:07 ` Jakub Wartak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4314590F.7050804@toxicnet.de \
--to=sascha.reissner@toxicnet.de \
--cc=benoit.panizzon@imp.ch \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox