Iptables rate limiting for Ddos
Hello.
I have about 5 machines that are under Ddos daily and I use rate-limit for Iptables to protect that and it works good. My UDP ports 20100 to 20400 are actually under Ddos so these are the commands I use: Code:
A INPUT -p udp -m udp --dport 20100:20500 -m state --state NEW -m recent --set --name DEFAULT --rsource The machine which it works on has 2 IP addresses and about 10 ports under attack while the rest of the machines have a single port and a single IP under attack. So could this be a reason that the rate of the attack on other servers is not enough to block it ? However, on other machines it worked great before that, and I've tried a rate even like 5 connections in 10 seconds but it still won't work. The attack is however not very fast because it just makes a 200kb/s outgoing while under heavy attacks, it would make a 2mb/s or even more outgoing . So what do you think could be a reason not allowing it to work ? However, I can easily see the incoming IP making more than 15-20 connections in 5 seconds using tshark. |
If it is working on the other machine and not this one and you are definitely seeing the traffic in your packet sniffer, then there is probably something different in the setup. The command, as shown, should work on any interface. My initial guess is that is a rule above these entries that is causing these packets to be accepted. Iptables works like a a set of toll booths, comparing the packet against the rules one by one. If it matches a rule, it will perform the action, either accept or drop and will not consider any rules further down the list.
If you don't see anything wrong with the iptables sets, post the complete output of iptables -L, along with the information regarding the traffic you are trying to block. |
In passing, they all have the 'recent' module available?
As in is it missing on any machine? Code:
cat /proc/net/ip_tables_matches |
I've flushed all the rules and added only the ones I mentioned but it still won't work.
And yes they do have the recent module available. |
Are they perchance rotating ports on each hit? It is a bit of a guess, but if that is what they are doing, could they be avoiding any one port long enough to reset the triggers. Try removing the port and parameters and see if that makes a difference.
|
Its a an attack on a single port and yea I tried that port removing and parameters already
|
All times are GMT -5. The time now is 03:26 AM. |