The answer is very simple: You can not....... DdoS attacks fill your pipe. Nothing iptables can do about that. And preventing? How would you prevent a script kiddie sending the ddos command to 1.000.000 of his bots? The only way to block DdoS attacks is to do it upstream, where the pipe is bigger than the attack..... Syn cookies etc can help to keep your system stable during an attack, but it will not be functional, as it cannot send or receive regular traffic. -Sietse -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Elvir Kuric Sent: Saturday, August 12, 2006 7:08 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Preventing DoS attacks using iptables? Hi all, I have just one question related to preventing DoS attack using iptables. I know there is possible limit of receiving packets causef by DoS attacks using --m limit --limit 1/s and on that way pushing firewall to accept just on packet per second. But in some cases the kernel will accept that packets and we can reject theu putting 1 in /proc/sys/net/ipv4# cat tcp_syncookies....According to http://cr.yp.to/syncookies.html where they say that this method is stil experimenting I am asking you what is your experineces related to oreventing DoS attacks this way. Thanks Regards __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
