As Ron explained, the problem with DoS is not the firewall (iptables or not), but the pipe size. I also had a few DDoS, and the OpenBSD firewall never had any trouble... but I had a pipe saturation :-( Fabien -- fabien (at) klipz (dot) fr http://www.klipz.fr On 4/23/05, Seferovic Edvin <edvin.seferovic@xxxxxxx> wrote: > Hi, > > my partner company has implemented a really good DdoS protection that is > able to process more than 3mil packets/sec. Beside of that fact, the > appliance has web interface where you can track the load on your connection > as well as block some ips or ip ranges that are attacking your server. If > you are interested, I could send you a information folder. > > Regards, > > Edvin Seferovic > > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of R. DuFresne > Sent: Freitag, 22. April 2005 23:13 > To: Taylor Grant > Cc: Vic N; netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: ddos / no connection tracking / tarpitting > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > the only way to really survive a ddos without affecting connectivity in > any shapoe or form is to have a bigger pipe then the other end<s> does. > idiots trying to ddos from a cable connection or dialup are not a problem > and sufferable. Those a tad higher in technical advancement with a bot > net and tousands of zomies to attack from are likely to bring even the > biggest pipes to a dead halt, at least getting in and our of the firewall > gateway is impossible. Traffic on the inside should be unaffected. > > I've suffered attacks with a firewall not doing connection tracking and > had no problems with either the firewall failing or suffereing a reboot. > I have yet to suffer such an attack on a staeful firewall, but tend to > think I should suffer no less with such a firewall in place as apposed to > an the older mere packet filters I've been replacing over time. Course, > it helps to have enough RAM in the firewall in the firstplace... > > pipes size and RAM, them be the keys to surviival. > > Thanks, > > Ron DuFresne > > On Fri, 22 Apr 2005, Taylor Grant wrote: > > >> A while ago I saw an iptables solution that was able to serve as an > >> effective anti-ddos solution. I didn't get to see under the hood, but > >> the creator told me that the solution was essentially an iptables > >> implementation with no connection tracking built in. Allegedly, the fact > > >> that no connection tracking was used enabled the the iptables to deal > with > >> a much higher volume of traffic w/o crashing. He had also mentioned > using > >> packet counting (to count packets as they passed through since there was > >> no way to keep track of them otherwise) and using tarpitting. > >> > >> While I can't attest to what the person told me, I do know the firewall > >> was soaking up ddos traffic that was otherwise bringing servers to their > >> knees with the use of regular connection-based firewalling. > >> > >> So my question is, is this the basic element of building a good anti-ddos > > >> solution wtih iptables to address a *large* volume of ddos traffic to > >> build iptables w/o connection tracking? > >> > >> Thanks, > > > > Yes this is possible and (I think) fairly easy to do. As I have never > done > > this I can not tell you for sure, but this is what I would do if I were to > do > > such a thing. > > > > I will presume that you are wanting to drop all traffic to a specif port > on > > an IP address for the sake of this discussion. > > > > iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j NOTRACK > > iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT > > > > This will cause any traffic that comes in that is distend to 1.2.3.4 on > port > > 5678 to NOT be tracked with the connecting tracking sub system and to > > subsequently be redirected to the TARPIT target. > > > > > > > > Grant. . . . > > > > - -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > admin & senior security consultant: sysinfo.com > http://sysinfo.com > Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 > > ...We waste time looking for the perfect lover > instead of creating the perfect love. > > -Tom Robbins <Still Life With Woodpecker> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFCaWjtst+vzJSwZikRAu6hAJ496gLuwc31uc2uiCNXzbk3AMA1SQCdEXNI > VfK1Yh+17fGQV6Qb6gRF8Zc= > =sgu8 > -----END PGP SIGNATURE----- > >
