[colug-432] Diagnosing and blocking DDOS attacks
R P Herrold
herrold at owlriver.com
Sun Jul 17 19:52:36 EDT 2011
On Sun, 17 Jul 2011, DEEDSD at nationwide.com wrote:
> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 20 -j DROP
>
> I am curious as to if I leave off the --dport if the rule would apply to
> all ports. I also wonder if I can block all traffic from a class B set of
> addresses - say if it is coming from a cloud.
out of order, yes, you can null route or drop any netmask you
want
-s IP/CIDRmask
will permit you do specify such a range of IPs
--hitcount, as I recall, needs two lines -- one to
count, and a second to actually do the dropping, but I may
well be wrong here
The problem is, one assumes if it is being run across
residential link, you are at the narrower end of the pipe, and
traffic has to transit the pipe before being dropped .. and
that still means the pipe is getting filled
TCPdump will tell you the source IP's for TCP based traffic
that completes the three-way handshake (before that, so
-called 'half-open' connections from forged initial source
IP's are possible). UDP traffic is trivially forgeable and
not susceptible to detection of forged source addresses
But again, the problem is that if one is at the narrow end of
the pipe, last hop measures cannot work well enough; to be
effective your upstream has to null-route the offender
-- Russ herrold
More information about the colug-432
mailing list