limit udp traffic per ip using iptables only
i am currently making test udp flood on my ubuntu server as we see in screenshot below
screenshot in this screenshot we see the ip attacker is 162.222.73.109 and this ip is consumed all trafic (100mbps) my question how can i limit traffic per ip/second ? i mean if he made udp flood he just get 1 mb/second not full 100mb/second |
You'd most likely want to use tc. However, if you're trying to defend against it you'd most likely just want to block the IP. However... that being said the traffic is still going to reach your server and clog the network. To truly solve it you'd need to block it somewhere upstream where there is a bigger pipe. Or you could use a service such as Cloudflare that you use as a proxy to your site. All traffic initially goes to their network where they filter DDoS for you and then send the proper traffic to your server. Thus protecting you from the DDoS.
However... If you're just trying to test something just use tc. http://lartc.org/howto/lartc.ratelimit.single.html |
hy
iptables -I INPUT -p tcp -m udp -s "putip" --dport 80 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP iptables -I INPUT -p tcp -m udp -s "putip" --dport 443 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP or #iptables -I INPUT -p udp --dport 80 -m state --state NEW -m recent --set #iptables -I INPUT -p udp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP #iptables -I INPUT -p udp --dport 443 -m state --state NEW -m recent --set #iptables -I INPUT -p udp --dport 443 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP put -s source ip or leave it to apply for all connected ip. play with seconds and hitcount to find right values for your server. |
That's not limiting by speed though which is what he wants. Plus he was talking UDP not TCP.
|
hy
just change tcp to udp. yes sorry i didnt see abot bandwith. |
hy
you can check hash limit option if you whant use only iptables http://www.iptables.info/en/iptables...HASHLIMITMATCH |
tc is traffic controller. What he is asking to do is literally what it's designed for. I'm 99.9% sure that iptables CANNOT do traffic shaping (limiting by a specific amount of bandwidth)
|
I use tc at work all the time to implement packet loss, low bandwidth simulations and more to do systems tests at work and see how well our applications handle network issues.
|
you are right about tc and that iptables canot do bandwith control. but with conection limit or hash he can acomplish bandwith consuption per ip. he ask about iptables maybe is not strict bandwith control but he can acomplist consuption with these options.
|
He specifically asks about limiting it to 1Mbps. So being able to limit IP's by a specific amount of bandwidth per second. Something iptables cannot do. What you're talking about can slow down connections by limiting how many they have. however, it can't limit the speed in any way through that connection.
|
thank you all for reply,
actually this is not a website this is a gaming host vps so i use only udp ports @whynotkeithberg yes you are right i can prevent them by blocking his ip but this test from me and i need to block this DOS automatically or not block just limit him like 1 mb/s as max. @end thank you for making rules i will test it and share result here, but please can you give the end rules after editing it to udp ports ? my edit will be like this iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --set iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP and this iptables -I INPUT -p udp -m udp -s "162.222.73.98" --dport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP this right ?? after test those rules, the result is same :( |
you are right . but for udp flood i think its better hash limit, or connection limit beacouse if you reduce to 1mb's, packets still comming you just reduce their speed.
yes you wrote it right. just play with hitcount and seconds. remove quotes from ip. try change --dport to -sport 27043 Code:
iptables -I INPUT -p udp -m udp -s 162.222.73.98 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP |
same problem :\ .....
this screenshot from attacker as you can see i reduce the byte from 1024 to 90 to don't turnoff on my players attacker screenshot so not all udp traffic go down it consumed 70 mb/s rather than 100mb/s but if i set the byte to 1024 all traffic go to attacker ip victim screenshot this Code:
iptables -L screenshot |
put same comands in OUTPUT
iptables -I OUTPUT -p udp -d 162.222.73.98 --sport 27043 -m state --state NEW -m recent --set iptables -I IOUTPUT -p udp -d 162.222.73.98 --sport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP iptables -I OUTPUT -p udp -m udp -d 162.222.73.98 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP |
no effect :(
my try is flush iptables then add this rules Code:
iptables -I OUTPUT -p udp -d 162.222.73.243 --sport 27043 -m state --state NEW -m recent --set add the input with output Code:
iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --set |
All times are GMT -5. The time now is 07:31 AM. |