From: "Tony.Ho" <support@idccenter.cn>
To: Ric Messier <kilroy@WasHere.COM>, netfilter@lists.netfilter.org
Subject: Re: syn DDoS attack solution
Date: Fri, 01 Jun 2007 09:20:26 +0800 [thread overview]
Message-ID: <465F745A.7040603@idccenter.cn> (raw)
In-Reply-To: <015e01c7a3bf$64fbe7e0$2ef3b7a0$@COM>
I have a thought about this.
I can use ipset and iptables on a bridge firewall.
ipt_recent module compares the SYN package and ACK package's TTL. If not
match then drop.
ipt_hashlimit module stores the concurrent connections. When the
connections exceed the threshold iptables would store the IP in ipset.
ipset's iptree modules can store the IP in a fixed time. When a IP which
is in the iptree's list comes the firewall iptables would TARPIT its tcp
connection.
Is this setting effective?
Ric Messier wrote:
> Bgs writes:
>
>> We recently got under a low traffic botnet DDoS attack. All attacker
>> nodes opened a single tcp session (just SYN part) and then did nothing.
>> This rules out rate limiting solutions and syncookie doesn't help
>> either. (Thousands of attacking nodes).
>>
>>
>
> This is simply a SYN flood attack. It may or may not be a botnet (though
> saying botnet makes it sound sexier :-) ). A decent SYN flood attack tool
> would randomize the source address anyway.
>
> You should try reading the following as a starting point:
>
> http://www.securityfocus.com/infocus/1729
>
> Your second suggestion has been implemented in the TCP/IP stack forever. The
> article above gives guidance on how to tune it in a Linux implementation.
>
> Ric
>
>
>
>
next prev parent reply other threads:[~2007-06-01 1:20 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-31 16:19 syn DDoS attack solution Bgs
2007-05-31 19:57 ` R. DuFresne
2007-06-01 9:45 ` Bgs
2007-05-31 20:08 ` Ric Messier
2007-06-01 1:20 ` Tony.Ho [this message]
2007-06-01 9:44 ` Bgs
2007-06-01 15:01 ` Ric Messier
2007-06-01 15:37 ` Bgs
2007-06-02 19:07 ` R. DuFresne
2007-06-04 14:22 ` Ric Messier
2007-06-04 17:24 ` Martin McKeay
2007-06-04 23:16 ` R. DuFresne
2007-06-05 8:29 ` Bgs
2007-06-05 14:16 ` Steven M Campbell
2007-06-05 15:22 ` ..prevention, was: " Arnt Karlsen
[not found] ` <466583F4.8080107@SCampbell.net>
2007-06-05 15:40 ` Steven M Campbell
2007-06-05 18:34 ` Arnt Karlsen
2007-06-07 18:41 ` Martin McKeay
2007-06-08 1:40 ` Arnt Karlsen
2007-06-12 18:10 ` Martin McKeay
2007-06-12 22:44 ` R. DuFresne
2007-06-13 14:24 ` Martin McKeay
2007-06-13 17:26 ` Arnt Karlsen
2007-06-13 17:44 ` Martin McKeay
2007-06-14 19:43 ` R. DuFresne
2007-06-14 20:13 ` supportnew
2007-06-01 21:34 ` Martijn Lievaart
2007-06-01 21:37 ` Martijn Lievaart
2007-06-01 21:38 ` Ric Messier
2007-06-01 23:09 ` Ethy H. Brito
2007-06-19 18:22 ` R. DuFresne
2007-06-19 22:19 ` Robert Nichols
2007-06-19 23:02 ` Pascal Hambourg
2007-06-21 18:26 ` R. DuFresne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=465F745A.7040603@idccenter.cn \
--to=support@idccenter.cn \
--cc=kilroy@WasHere.COM \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox