On Thu, 28 Aug 2003, bill davidsen wrote: > I need to block a DDoS for a client, and although I'm able to detect the > attacking IPs, and drop them in a table to block, the table is getting > large quickly. Is there a better way to apply rules to 10-20k IP > addresses? Clearly we don't want to block legitimate users. > > What I'm doing is working, I just wonder if it will scale, and if I'm > missing some better solution. No, it will not scale. I estimate adding one rule to a 10k rule table will take ~4 minutes on average hardware. Adding a rule in iptables causes the complete table to be downloaded to user space, the rule will then be added and the whole table will be uploaded to kernel space again, where then a expensive check for a possible loop in the ruleset takes place. When you are able to separate the attackers from legitimate users, you should try to implement this separation criterias in your iptables ruleset. Daniel -- Daniel Stutz <Daniel.Stutz@astaro.com> | Product Development Astaro AG | http://www.astaro.com | Phone +49-721-490069-0 | Fax -55 Bulletin Board: http://www.astaro.org Documentation: http://docs.astaro.org - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
