LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   limit udp traffic per ip using iptables only (https://www.linuxquestions.org/questions/linux-security-4/limit-udp-traffic-per-ip-using-iptables-only-4175603455/)

Obada 04-08-2017 10:38 AM

limit udp traffic per ip using iptables only
 
i am currently making test udp flood on my ubuntu server as we see in screenshot below

screenshot

in this screenshot we see the ip attacker is 162.222.73.109 and this ip is consumed all trafic (100mbps)

my question how can i limit traffic per ip/second ?

i mean if he made udp flood he just get 1 mb/second not full 100mb/second

whynotkeithberg 04-08-2017 11:20 AM

You'd most likely want to use tc. However, if you're trying to defend against it you'd most likely just want to block the IP. However... that being said the traffic is still going to reach your server and clog the network. To truly solve it you'd need to block it somewhere upstream where there is a bigger pipe. Or you could use a service such as Cloudflare that you use as a proxy to your site. All traffic initially goes to their network where they filter DDoS for you and then send the proper traffic to your server. Thus protecting you from the DDoS.

However... If you're just trying to test something just use tc.

http://lartc.org/howto/lartc.ratelimit.single.html

end 04-08-2017 11:26 AM

hy

iptables -I INPUT -p tcp -m udp -s "putip" --dport 80 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP

iptables -I INPUT -p tcp -m udp -s "putip" --dport 443 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP

or

#iptables -I INPUT -p udp --dport 80 -m state --state NEW -m recent --set

#iptables -I INPUT -p udp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

#iptables -I INPUT -p udp --dport 443 -m state --state NEW -m recent --set

#iptables -I INPUT -p udp --dport 443 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

put -s source ip or leave it to apply for all connected ip. play with seconds and hitcount to find right values for your server.

whynotkeithberg 04-08-2017 11:27 AM

That's not limiting by speed though which is what he wants. Plus he was talking UDP not TCP.

end 04-08-2017 11:34 AM

hy

just change tcp to udp. yes sorry i didnt see abot bandwith.

end 04-08-2017 12:04 PM

hy

you can check hash limit option if you whant use only iptables

http://www.iptables.info/en/iptables...HASHLIMITMATCH

whynotkeithberg 04-08-2017 12:05 PM

tc is traffic controller. What he is asking to do is literally what it's designed for. I'm 99.9% sure that iptables CANNOT do traffic shaping (limiting by a specific amount of bandwidth)

whynotkeithberg 04-08-2017 12:07 PM

I use tc at work all the time to implement packet loss, low bandwidth simulations and more to do systems tests at work and see how well our applications handle network issues.

end 04-08-2017 12:12 PM

you are right about tc and that iptables canot do bandwith control. but with conection limit or hash he can acomplish bandwith consuption per ip. he ask about iptables maybe is not strict bandwith control but he can acomplist consuption with these options.

whynotkeithberg 04-08-2017 12:14 PM

He specifically asks about limiting it to 1Mbps. So being able to limit IP's by a specific amount of bandwidth per second. Something iptables cannot do. What you're talking about can slow down connections by limiting how many they have. however, it can't limit the speed in any way through that connection.

Obada 04-08-2017 12:21 PM

thank you all for reply,

actually this is not a website this is a gaming host vps so i use only udp ports

@whynotkeithberg yes you are right i can prevent them by blocking his ip but this test from me and i need to block this DOS automatically or not block just limit him like 1 mb/s as max.

@end thank you for making rules i will test it and share result here, but please can you give the end rules after editing it to udp ports ?

my edit will be like this

iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --set

iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

and this

iptables -I INPUT -p udp -m udp -s "162.222.73.98" --dport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP


this right ??


after test those rules, the result is same :(

end 04-08-2017 12:36 PM

you are right . but for udp flood i think its better hash limit, or connection limit beacouse if you reduce to 1mb's, packets still comming you just reduce their speed.

yes you wrote it right. just play with hitcount and seconds. remove quotes from ip.
try change --dport to -sport 27043

Code:

iptables -I INPUT -p udp -m udp -s 162.222.73.98 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP

Obada 04-08-2017 01:13 PM

same problem :\ .....

this screenshot from attacker as you can see i reduce the byte from 1024 to 90 to don't turnoff on my players

attacker screenshot

so not all udp traffic go down it consumed 70 mb/s rather than 100mb/s but if i set the byte to 1024 all traffic go to attacker ip

victim screenshot

this
Code:

iptables -L
command

screenshot

end 04-08-2017 02:26 PM

put same comands in OUTPUT

iptables -I OUTPUT -p udp -d 162.222.73.98 --sport 27043 -m state --state NEW -m recent --set

iptables -I IOUTPUT -p udp -d 162.222.73.98 --sport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

iptables -I OUTPUT -p udp -m udp -d 162.222.73.98 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP

Obada 04-08-2017 03:15 PM

no effect :(

my try is flush iptables then add this rules

Code:

iptables -I OUTPUT -p udp -d 162.222.73.243 --sport 27043 -m state --state NEW -m recent --set

iptables -I OUTPUT -p udp -d 162.222.73.243 --sport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

iptables -I OUTPUT -p udp -m udp -d 162.222.73.243 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP

after fail

add the input with output


Code:

iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --set
iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP
iptables -I INPUT -p udp -m udp -s 162.222.73.243 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP



iptables -I OUTPUT -p udp -d 162.222.73.243 --sport 27043 -m state --state NEW -m recent --set

iptables -I OUTPUT -p udp -d 162.222.73.243 --sport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

iptables -I OUTPUT -p udp -m udp -d 162.222.73.243 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP

and fail :(


All times are GMT -5. The time now is 06:08 AM.