ddos / no connection tracking / tarpitting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A while ago I saw an iptables solution that was able to serve as an effective anti-ddos solution. I didn't get to see under the hood, but the creator told me that the solution was essentially an iptables implementation with no connection tracking built in. Allegedly, the fact that no connection tracking was used enabled the the iptables to deal with a much higher volume of traffic w/o crashing. He had also mentioned using packet counting (to count packets as they passed through since there was no way to keep track of them otherwise) and using tarpitting.

While I can't attest to what the person told me, I do know the firewall was soaking up ddos traffic that was otherwise bringing servers to their knees with the use of regular connection-based firewalling.

So my question is, is this the basic element of building a good anti-ddos solution wtih iptables to address a *large* volume of ddos traffic to build iptables w/o connection tracking?

Thanks,



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux