Re: iptables limit-burst trouble

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tsuyoshi Takada wrote:
I want to limit Web DoS attack.

I have set the following but it does not work well.

iptables -N flood-chk
iptables -A INPUT     -p tcp --dport 80 --syn -j flood-chk
iptables -A flood-chk -m limit --limit 1/sec --limit-burst 2 -j RETURN
iptables -A flood-chk -j LOG --log-prefix "IPTABLES HTTP FLOOD-PACKET"
iptables -A flood-chk -j DROP

After I accessed to my web site,
I pushed reload button of my web browser repeatedly but I was not denied by iptables.
Why?

These rules work for me. Note however that if you hit the limit, your browser will automatically retransmit and succeed if it is at least 1 second later. You should notice a delay in loading the page when the browser has to retransmit. You should also get the syslog message.

If you change the DROP to a REJECT, then your browser will display
'connection refused' when it reaches the limit, rather than
retransmitting.  (Using REJECT isn't good for protection against
a DoS attack though, just do this for testing that the rules
are working.)

I would also recommend putting a limit on the rule for the LOG
message, otherwise it is possible to flood your logs.

--
Philip Craig - philipc@xxxxxxxxxxxx - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux