Dnia wtorek, 30 sierpnia 2005 14:40, Benoit Panizzon napisał: > Hi all > > I'm looking for a way to prevent connection DOSing of specific services. > > The goal is to count the connection rate per conneting ip and then reject > those connections if they pass a certain limit. > > It looks like OpenBSD's pf is the only packet filter (except some > commerctial Firewalls) which has this ability. > > The best I managed with iptables is to throttle the connection rate for a > specific port, but this of course affecs normal users trying to use that > service and does not change the fact of the service being DOSed. > > The other possibility I found is to write my own userspace QUEUE target > connection rate tracker via the iptables api. But as I'm not a programmer > and I think this is a quite common request I just wonder: > > Hasn't allready somebody written such a per source connection rate > limmiter? > Have you tried hashlimit ? ex1. ( not tested ): # seems that hashlimit doesn't support negation ( "!" ) # example way to achieve the same result: iptables -t raw -N ANTIDOS iptables -t raw -A ANTIDOS -m hashlimit --hashlimit 5/s \ --hashlimit-name limitDoS --hashlimit-mode srcip,dstport -j ACCEPT iptables -t raw -A ANTIDOS -j DROP iptables -t raw -A PREROUTING -i eth0 -p tcp --syn -j ANTIDOS Another idea is to add "bad" IPs to recent list and then drop all traffic from them for example for 12 hours. You could also use connlimit. -- Jakub Wartak -vnull FreeBSD/OpenBSD/Linux/Solaris/Network Administrator
