On Tue, Jul 20, 2010 at 12:01 AM, C Anthony Risinger <anthony@xxxxxxxx> wrote: > On Mon, Jul 19, 2010 at 1:07 PM, Nilesh Govindarajan <lists@xxxxxxxxxx> wrote: >> On Mon, Jul 19, 2010 at 11:14 PM, Heiko Baums <lists@xxxxxxxxxxxxxxx> wrote: >>> Am Mon, 19 Jul 2010 22:43:45 +0530 >>> schrieb Nilesh Govindarajan <lists@xxxxxxxxxx>: >>> >>>> Hi, >>>> Can someone tell me how to use IPTables to prevent DDoS attacks? >>>> I'm sure IPTables has the relevant modules (limit, recent I think) >>>> after reading some docs, but still in doubt about its implementation. >>> >>> There's the --limit option against DoS attacks. >>> >>> A good iptables tutorial with some example scripts is here: >>> http://www.frozentux.net/documents/iptables-tutorial/ >>> >>> Read at least the chapter "Limit match". >>> >>> Heiko >>> >> >> >> Thanks a lot man. But I have a doubt (may sound quite weird, but I >> really don't know about it). >> Suppose I set this- >> iptables -I INPUT -m limit --limit 1/min --limit-burst 5 -j ACCEPT >> will this affect HTTP connections? >> Basically, how many packets is probably going to constitute one connection? >> What is the recommended setting for the same to prevent DoS? > > i dont know a lot about DoS or proper settings, but the connection > doesn't really depend on "packet count" or anything like that. [IIRC] > a connection is established at the TCP level, and is kept alive at > that level. HTTP 1.1 layer 7 "keep-alives" just keep the layer 4/5 > TCP connection open. HTTP 1.0 clients may have trouble with > connection limits if you have high request rates, as they must > establish a new connection on each request (again IIRC, could be > flawed). > > C Anthony > So instead of using packet limiter, should I use connlimit module? But using connlimit module will block all connections after the max no. of conns are reached which isn't the desired behavior. I think using connlimit with the recent module will help. Any suggestions? -- Regards, Nilesh Govindarajan Facebook: http://www.facebook.com/nilesh.gr Twitter: http://twitter.com/nileshgr Website: http://www.itech7.com VPS Hosting: http://j.mp/arHk5e
