(please wrap your lines at 72 characters or less. thanks.) On Fri, 1 Nov 2002, fxian_2003 wrote: > Hi! > To defend DoS attack,iptables implement rate-limit function. Today I > used a DoS-type attack tool to syn-flood the targeted machine, the CPU > load of the machine rised sharply to 90%. Then I add a iptables limit > rule in which limit rate is 3/min, but the result was dissapointed for > the load of CPU was still 90%. So I deduced that traffic limit function > could't repel DoS attack effectively. If somebody is interested in my > experiment, I can mail him my hacker software. but this doesn't prove anything, beyond that the load was similar. how do you know if the limiting you added to iptables was working or not? you should add logging to see if the extra packets are actually getting rejected. rday
