For blocking pourposes why don't you use blackholes ? I have a webserver that is permanently under DoS attacks , so I use blackholes. Routing table can have million of rules or static routes, so is not a problem . Let's say you want to block ip 11.22.33.44 . just type : #ip route add blackhole 11.22.33.44/32 and all packets to 11.22.33.44 will be discarded. if you type than : #ip ro | grep blackhole you will see all blackholes defined by you you can blackhole your incomming traffic, but be carefull what you are doing . > Hello, > > Why don't you block networks ?? > > Firewall - SYN Cookie enabling ? > > Mail servers - use RBL list - this list will contain networks of IP's that > belong to home users. So they do not need to connect directly to your mail > server. > > Web servers -- rate limiting ? block networks ? Better web server ? > > If you blocked networks ? The estimated max number of rules a packet might have > to match would be 254 ... plus the rest of your filtering for ports and other > needs. This could slow down network access because of all the rules to check for > each packet. > > If you are not using network addresses the list would become to long. > > Michael. > > > On Thu, 24 Jun 2004 22:57:32 +0800 > "Timothy Webster" <timothyw@xxxxxxxxxxxx> wrote: > >> I have a need to block 1 -> 2 million ips. >> This edge firewall will be blocking dos attackers, spammers >> from hitting our proxys, and mail/web servers. >> I also need to be able to reload the 1 -> 2 million blocked >> ips from time to time as they change. >> But this list is not changing continuously. >> >> Thoughts how to do this? >> What would you recommend for a hardware? >> The iptables set patch, what else? >> >> >> I need to come of with a plan so I can begin testing for >> deployment. >> >> Thanks, >> >> -Tim >> >> >> >> >> > > > -- > Michael Gale > Network Administrator > Utilitran Corporation > > > ----------------------------------------------------------------------- As.Ro - Cont gratuit de Email si 50MB free webhosting. http://www.as.ro
