LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Iptables rate limiting for Ddos (https://www.linuxquestions.org/questions/linux-server-73/iptables-rate-limiting-for-ddos-866705/)

AsadMoeen 03-06-2011 03:17 AM
Iptables rate limiting for Ddos
 
Hello.


I have about 5 machines that are under Ddos daily and I use rate-limit for Iptables to protect that and it works good.

My UDP ports 20100 to 20400 are actually under Ddos so these are the commands I use:

Code:
A INPUT -p udp -m udp --dport 20100:20500 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -p udp -m udp --dport 20100:20500 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 --name DEFAULT --rsource -j DROP
It worked great on all my machines when I was under heavy Ddos attacks but today, it only works on a single machine and not the rest.

The machine which it works on has 2 IP addresses and about 10 ports under attack while the rest of the machines have a single port and a single IP under attack.

So could this be a reason that the rate of the attack on other servers is not enough to block it ?


However, on other machines it worked great before that, and I've tried a rate even like 5 connections in 10 seconds but it still won't work.

The attack is however not very fast because it just makes a 200kb/s outgoing while under heavy attacks, it would make a 2mb/s or even more outgoing .


So what do you think could be a reason not allowing it to work ?

However, I can easily see the incoming IP making more than 15-20 connections in 5 seconds using tshark.

Noway2 03-06-2011 05:25 AM
If it is working on the other machine and not this one and you are definitely seeing the traffic in your packet sniffer, then there is probably something different in the setup. The command, as shown, should work on any interface. My initial guess is that is a rule above these entries that is causing these packets to be accepted. Iptables works like a a set of toll booths, comparing the packet against the rules one by one. If it matches a rule, it will perform the action, either accept or drop and will not consider any rules further down the list.

If you don't see anything wrong with the iptables sets, post the complete output of iptables -L, along with the information regarding the traffic you are trying to block.

120 03-06-2011 05:45 AM
In passing, they all have the 'recent' module available?

As in is it missing on any machine?
Code:
cat /proc/net/ip_tables_matches
....
recent
....
Not sure if that's any help.

AsadMoeen 03-06-2011 07:40 AM
I've flushed all the rules and added only the ones I mentioned but it still won't work.

And yes they do have the recent module available.

Noway2 03-07-2011 04:00 AM
Are they perchance rotating ports on each hit? It is a bit of a guess, but if that is what they are doing, could they be avoiding any one port long enough to reset the triggers. Try removing the port and parameters and see if that makes a difference.

AsadMoeen 03-07-2011 11:57 PM
Its a an attack on a single port and yea I tried that port removing and parameters already


All times are GMT -5. The time now is 03:26 AM.