Alex Sirbu wrote:
For blocking pourposes why don't you use blackholes ? I have a webserver that is permanently under DoS attacks , so I use blackholes.
Routing table can have million of rules or static routes, so is not a problem .
Let's say you want to block ip 11.22.33.44 . just type :
#ip route add blackhole 11.22.33.44/32
and all packets to 11.22.33.44 will be discarded.
All packets to 11.22.33.44 is discarded...but will 11.22.33.44 be able to generate a connection socket?
if you put a blackhole to destination, all pakets to that ip addres will get "Network is unrecheable" so a TCP connection will never be established.
So if my problem was that 11.22.33.44 was taking up all my SMTP connections, doing ip route add blackhole 11.22.33.44/32 means that all my ACK's get discarded silently and if the blackhole was done locally the processes just get a EINVAL error. So basically MY processes have to wait for a timeout. What I'd rather achieve is that the SYN from 11.22.33.44 not even get through.
Looks like it's still something for iptables.
