Handling large list of rules - Efficient or not?

Handling large list of rules - Efficient or not?

[howard chen]

My server sometimes is under attack by DDOS, so I want to make a
simple script which read the log (Apache access log), do the analysis,
and set the rule to drop the packets from a specific IP.

Since it is DDOS, so I assume there will be large ammount of unique IP
needed to be input into the iptables.

I want to know, are there any hidden efficiency problem in this setup?
Or any better method?


Howard.

Re: Handling large list of rules - Efficient or not?

[lists+netfilter]

howard chen wrote:
> My server sometimes is under attack by DDOS, so I want to make a
> simple script which read the log (Apache access log), do the analysis,
> and set the rule to drop the packets from a specific IP.
>
> Since it is DDOS, so I assume there will be large ammount of unique IP
> needed to be input into the iptables.
>
> I want to know, are there any hidden efficiency problem in this setup?
> Or any better method?
>
>
> Howard.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   
Haven't we had this discussion several times in the very recent past? 
See the archives.
Hint: if the list is really large use ipsets.