Hi, my partner company has implemented a really good DdoS protection that is able to process more than 3mil packets/sec. Beside of that fact, the appliance has web interface where you can track the load on your connection as well as block some ips or ip ranges that are attacking your server. If you are interested, I could send you a information folder. Regards, Edvin Seferovic -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of R. DuFresne Sent: Freitag, 22. April 2005 23:13 To: Taylor Grant Cc: Vic N; netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: ddos / no connection tracking / tarpitting -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 the only way to really survive a ddos without affecting connectivity in any shapoe or form is to have a bigger pipe then the other end<s> does. idiots trying to ddos from a cable connection or dialup are not a problem and sufferable. Those a tad higher in technical advancement with a bot net and tousands of zomies to attack from are likely to bring even the biggest pipes to a dead halt, at least getting in and our of the firewall gateway is impossible. Traffic on the inside should be unaffected. I've suffered attacks with a firewall not doing connection tracking and had no problems with either the firewall failing or suffereing a reboot. I have yet to suffer such an attack on a staeful firewall, but tend to think I should suffer no less with such a firewall in place as apposed to an the older mere packet filters I've been replacing over time. Course, it helps to have enough RAM in the firewall in the firstplace... pipes size and RAM, them be the keys to surviival. Thanks, Ron DuFresne On Fri, 22 Apr 2005, Taylor Grant wrote: >> A while ago I saw an iptables solution that was able to serve as an >> effective anti-ddos solution. I didn't get to see under the hood, but >> the creator told me that the solution was essentially an iptables >> implementation with no connection tracking built in. Allegedly, the fact >> that no connection tracking was used enabled the the iptables to deal with >> a much higher volume of traffic w/o crashing. He had also mentioned using >> packet counting (to count packets as they passed through since there was >> no way to keep track of them otherwise) and using tarpitting. >> >> While I can't attest to what the person told me, I do know the firewall >> was soaking up ddos traffic that was otherwise bringing servers to their >> knees with the use of regular connection-based firewalling. >> >> So my question is, is this the basic element of building a good anti-ddos >> solution wtih iptables to address a *large* volume of ddos traffic to >> build iptables w/o connection tracking? >> >> Thanks, > > Yes this is possible and (I think) fairly easy to do. As I have never done > this I can not tell you for sure, but this is what I would do if I were to do > such a thing. > > I will presume that you are wanting to drop all traffic to a specif port on > an IP address for the sake of this discussion. > > iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j NOTRACK > iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT > > This will cause any traffic that comes in that is distend to 1.2.3.4 on port > 5678 to NOT be tracked with the connecting tracking sub system and to > subsequently be redirected to the TARPIT target. > > > > Grant. . . . > - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCaWjtst+vzJSwZikRAu6hAJ496gLuwc31uc2uiCNXzbk3AMA1SQCdEXNI VfK1Yh+17fGQV6Qb6gRF8Zc= =sgu8 -----END PGP SIGNATURE-----
