Re: Iptables and DDoS attacks

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Joshua Moore <j@jcm.me>
To: Hack3rcon@mail2tor.com
Cc: Reindl Harald <h.reindl@thelounge.net>, netfilter@vger.kernel.org
Subject: Re: Iptables and DDoS attacks
Date: Sun, 13 Aug 2023 17:07:33 -0400	[thread overview]
Message-ID: <30DBBFA4-8D58-4400-8531-50EB288D1CAB@jcm.me> (raw)

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8-sig", Size: 1562 bytes --]

For volumetric attacks (bandwidth), hardware routers/firewalls export flow analytics to a flow analyzer which then in turn has detection logic which triggers scripts. One example is triggering a script for a remotely triggered black hole (RTBH) which signals to upstream ISPs to drop traffic to the destination /32 host that is attacked. Other mitigation mechanisms include triggering traffic to be redirected to a scrubbing server to consume the attack and “scrub” the traffic clean and to redirect traffic to a low bandwidth “garbage” ISP connection intended to drop the attack at the edge.

In all cases, you cannot stop the attacks with simple iptables/nftable rules because they by nature need to drop packets AFTER they hit the wire which is too late.

The *right* solution for you would all depend on your network and goals. Happy to discuss more if you want to ping my company email directly as we implement this kind of thing regularly: jmoore@archous.tech

> On Aug 13, 2023, at 4:23 PM, Hack3rcon@mail2tor.com wrote:
> 
> 
>>> Am 10.08.23 um 09:16 schrieb Hack3rcon@mail2tor.com:
>>> Hello iptables Team,
>>> Is it possible to protect a server against DDoS attacks using iptables?
>> depends on the attack - if it's bandwith *nothing* on your side can do
>> anything against it
>> for request-based attacks xt_recent for ratelimits works well
> 
> Hello,
> Thank you so much for your reply.
> How do hardware firewalls that use Linux prevent these attacks?
> 
> Can you show me some iptables rules about limitation?

next             reply	other threads:[~2023-08-13 21:07 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-13 21:07 Joshua Moore [this message]
  -- strict thread matches above, loose matches on Subject: below --
2023-08-10  7:16 Iptables and DDoS attacks Hack3rcon
2023-08-10  9:22 ` Reindl Harald
2023-08-13 19:34   ` Hack3rcon
2023-08-13 21:41     ` imnozi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=30DBBFA4-8D58-4400-8531-50EB288D1CAB@jcm.me \
    --to=j@jcm.me \
    --cc=Hack3rcon@mail2tor.com \
    --cc=h.reindl@thelounge.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).