> Alex Sirbu wrote: >> For blocking pourposes why don't you use blackholes ? >> I have a webserver that is permanently under DoS attacks , so I use blackholes. >> >> Routing table can have million of rules or static routes, so is not a problem . >> >> Let's say you want to block ip 11.22.33.44 . just type : >> >> #ip route add blackhole 11.22.33.44/32 >> >> and all packets to 11.22.33.44 will be discarded. > > All packets to 11.22.33.44 is discarded...but will 11.22.33.44 be able > to generate a connection socket? if you put a blackhole to destination, all pakets to that ip addres will get "Network is unrecheable" so a TCP connection will never be established. >> >> if you type than : >> #ip ro | grep blackhole >> you will see all blackholes defined by you > > How maintainable is such a list compared to iptables which has > iptables-save and iptables-restore? you can write your own script ( bash, perl , etc. ) that can manage the blackhole list and have it running in start, stop, restart, dump, clear, panic , add or delete. you can even keep all the information into a flatfile or database I wrote my own script , and it's working very well. I can add or remove IPs to/from blackholes list , I can remove all blackholes at once , I can make a bulk dump of running routing table containing blackholes. >> >> you can blackhole your incomming traffic, but be carefull what you are doing . >> > > Is there something I am missing here? if , by mistake, you block your own IP net or even loopback address (127.0.0.1) you will get a lot of trouble ( that can be fixed if you have direct access to that server - I mean keyboard or serial terminal ) > > > ----------------------------------------------------------------------- As.Ro - Cont gratuit de Email si 50MB free webhosting. http://www.as.ro
