iptables -A FORWARD -p tcp -s xxx.xxx.xxx.xxx --dport 80 -m limit --limit 20/m -j ACCEPT
Frank
--On Thursday, May 15, 2003 08:58:25 -0700 Daniel David Benson <dan@xxxxxxxxxxxxx> wrote:
Hopefully this one hasn't been answered before. We need to rate limit on a per source IP address to port 80. We are seeing certain web servers suffer from resource starvation under a DDOS attack. The solution to this problem is rate limit the number of connections any source IP address can make. Is this possible to do with iptables? I have searched just about everything and I can't seem to find anything. I know I can do traffic shaping with iproute2, but I don't think that is the direction I want to take.
I know there is -limit in iptables, but unless I don't clearly understand the implementation this limit is matched against the resource and not on a per source. So, you have 5 source IPs comming in with requests all of which effect the counters global instead of each source having their own counter.
We have tried mod_throttle for apache...but that crashes quite a bit as the tables grow. Plus. I want to stop the attacks before the apache level.
Any help on this would be greatly appreciated.
Thanks!
-Dan
-- Frank Smith fsmith@xxxxxxxxxxx Systems Administrator Voice: 512-374-4673 Hoover's Online Fax: 512-374-4501
