From: <imnozi@gmail.com>
To: netfilter@vger.kernel.org
Subject: Re: Iptables and DDoS attacks
Date: Sun, 13 Aug 2023 17:41:48 -0400 [thread overview]
Message-ID: <20230813174148.506d3e92@playground> (raw)
In-Reply-To: <c614ef650022a572493960711294723a.squirrel@_>
The first thing to do is:
iptables -t mangle -I 1 PREROUTING -m state --state INVALID -j DROP
This will drop all TCP packets that have an INVALID state (to wit, netfilter is unable to correlate these packets to an existing connection). Since they are INVALID, do not spend even a nanosecond more time processing them; just dump them in the bit bucket.
After that, add rules that drop all packets to and from internet hosts and networks that you already know you want no contact with (pron, sleaze, warez, et alia); ipset is good for this.
In order to reduce said traffic on your downlink, you would have to ask your upstream (ISP?) to implement some sort of rate limiting on your link to let more legitimate traffic through.
The only way to possibly thwart DDoS is to require all ISPs and other leaf providers to implement reverse path filtering. Packets that claim to arrive on their downstream links that have IP addresses that do not reside on their DS links are to be dropped. E.g., if a Comcrash customer started sending packets purporting to be from 8.8.8.8, Comcrash should silently drop those packets (well, unless Google is a customer), and warn the security team when a customer persists in spoofing SRC IP addresses. (Of course, this likely doesn't address all forms of DDoS; your mileage will vary.)
N
On Sun, 13 Aug 2023 15:34:32 -0400
Hack3rcon@mail2tor.com wrote:
> >
> >
> > Am 10.08.23 um 09:16 schrieb Hack3rcon@mail2tor.com:
> >> Hello iptables Team,
> >> Is it possible to protect a server against DDoS attacks using iptables?
> >
> > depends on the attack - if it's bandwith *nothing* on your side can do
> > anything against it
> >
> > for request-based attacks xt_recent for ratelimits works well
> >
>
> Hello,
> Thank you so much for your reply.
> How do hardware firewalls that use Linux prevent these attacks?
>
> Can you show me some iptables rules about limitation?
>
next prev parent reply other threads:[~2023-08-13 21:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-10 7:16 Iptables and DDoS attacks Hack3rcon
2023-08-10 9:22 ` Reindl Harald
2023-08-13 19:34 ` Hack3rcon
2023-08-13 21:41 ` imnozi [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-08-13 21:07 Joshua Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230813174148.506d3e92@playground \
--to=imnozi@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).