I have about 5 machines that are under Ddos daily and I use rate-limit for Iptables to protect that and it works good.
My UDP ports 20100 to 20400 are actually under Ddos so these are the commands I use:
A INPUT -p udp -m udp --dport 20100:20500 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -p udp -m udp --dport 20100:20500 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 --name DEFAULT --rsource -j DROP
It worked great on all my machines when I was under heavy Ddos attacks but today, it only works on a single machine and not the rest.
The machine which it works on has 2 IP addresses and about 10 ports under attack while the rest of the machines have a single port and a single IP under attack.
So could this be a reason that the rate of the attack on other servers is not enough to block it ?
However, on other machines it worked great before that, and I've tried a rate even like 5 connections in 10 seconds but it still won't work.
The attack is however not very fast because it just makes a 200kb/s outgoing while under heavy attacks, it would make a 2mb/s or even more outgoing .
So what do you think could be a reason not allowing it to work ?
However, I can easily see the incoming IP making more than 15-20 connections in 5 seconds using tshark.