[colug-432] Diagnosing and blocking DDOS attacks

R P Herrold herrold at owlriver.com
Sun Jul 17 19:52:36 EDT 2011

On Sun, 17 Jul 2011, DEEDSD at nationwide.com wrote:

> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 20 -j DROP
> I am curious as to if I leave off the --dport if the rule would apply to
> all ports.  I also wonder if I can block all traffic from a class B set of
> addresses - say if it is coming from a cloud.

out of order, yes, you can null route or drop any netmask you 

 	-s IP/CIDRmask
will permit you do specify such a range of IPs

 	--hitcount, as I recall, needs two lines -- one to 
count, and a second to actually do the dropping, but I may 
well be wrong here

The problem is, one assumes if it is being run across 
residential link, you are at the narrower end of the pipe, and 
traffic has to transit the pipe before being dropped .. and 
that still means the pipe is getting filled

TCPdump will tell you the source IP's for TCP based traffic 
that completes the three-way handshake (before that, so 
-called 'half-open' connections from forged initial source 
IP's are possible).  UDP traffic is trivially forgeable and 
not susceptible to detection of forged source addresses

But again, the problem is that if one is at the narrow end of 
the pipe, last hop measures cannot work well enough; to be 
effective your upstream has to null-route the offender

-- Russ herrold

More information about the colug-432 mailing list