LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 03-06-2011, 04:17 AM   #1
AsadMoeen
Member
 
Registered: Jun 2010
Posts: 160

Rep: Reputation: 3
Iptables rate limiting for Ddos


Hello.


I have about 5 machines that are under Ddos daily and I use rate-limit for Iptables to protect that and it works good.

My UDP ports 20100 to 20400 are actually under Ddos so these are the commands I use:

Code:
A INPUT -p udp -m udp --dport 20100:20500 -m state --state NEW -m recent --set --name DEFAULT --rsource 
-A INPUT -p udp -m udp --dport 20100:20500 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 --name DEFAULT --rsource -j DROP
It worked great on all my machines when I was under heavy Ddos attacks but today, it only works on a single machine and not the rest.

The machine which it works on has 2 IP addresses and about 10 ports under attack while the rest of the machines have a single port and a single IP under attack.

So could this be a reason that the rate of the attack on other servers is not enough to block it ?


However, on other machines it worked great before that, and I've tried a rate even like 5 connections in 10 seconds but it still won't work.

The attack is however not very fast because it just makes a 200kb/s outgoing while under heavy attacks, it would make a 2mb/s or even more outgoing .


So what do you think could be a reason not allowing it to work ?

However, I can easily see the incoming IP making more than 15-20 connections in 5 seconds using tshark.

Last edited by AsadMoeen; 03-06-2011 at 04:31 AM.
 
Old 03-06-2011, 06:25 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
If it is working on the other machine and not this one and you are definitely seeing the traffic in your packet sniffer, then there is probably something different in the setup. The command, as shown, should work on any interface. My initial guess is that is a rule above these entries that is causing these packets to be accepted. Iptables works like a a set of toll booths, comparing the packet against the rules one by one. If it matches a rule, it will perform the action, either accept or drop and will not consider any rules further down the list.

If you don't see anything wrong with the iptables sets, post the complete output of iptables -L, along with the information regarding the traffic you are trying to block.
 
Old 03-06-2011, 06:45 AM   #3
120
Member
 
Registered: Oct 2010
Posts: 46

Rep: Reputation: 9
In passing, they all have the 'recent' module available?

As in is it missing on any machine?
Code:
cat /proc/net/ip_tables_matches
....
recent
....
Not sure if that's any help.
 
Old 03-06-2011, 08:40 AM   #4
AsadMoeen
Member
 
Registered: Jun 2010
Posts: 160

Original Poster
Rep: Reputation: 3
I've flushed all the rules and added only the ones I mentioned but it still won't work.

And yes they do have the recent module available.
 
Old 03-07-2011, 05:00 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Are they perchance rotating ports on each hit? It is a bit of a guess, but if that is what they are doing, could they be avoiding any one port long enough to reset the triggers. Try removing the port and parameters and see if that makes a difference.
 
Old 03-08-2011, 12:57 AM   #6
AsadMoeen
Member
 
Registered: Jun 2010
Posts: 160

Original Poster
Rep: Reputation: 3
Its a an attack on a single port and yea I tried that port removing and parameters already
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Rate limiting problem XeonSX Linux - Newbie 2 01-22-2011 08:57 PM
iptables rate limiting for bridged connection (kvm created bridge) tkmsr Linux - Networking 1 10-28-2010 08:50 AM
Outgoing rate limiting with iptables problem. goofyheadedpunk Linux - Networking 10 03-01-2009 07:34 PM
Rate limiting with Iptables on port 21 rino2003 Linux - Networking 1 12-26-2004 07:34 PM
Kernel Rate Limiting mikeyt_3333 Linux - Networking 1 10-25-2001 12:40 PM


All times are GMT -5. The time now is 07:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration