I have a thought about this.
I can use ipset and iptables on a bridge firewall.
ipt_recent module compares the SYN package and ACK package's TTL. If not
match then drop.
ipt_hashlimit module stores the concurrent connections. When the
connections exceed the threshold iptables would store the IP in ipset.
ipset's iptree modules can store the IP in a fixed time. When a IP which
is in the iptree's list comes the firewall iptables would TARPIT its tcp
connection.
Is this setting effective?
Ric Messier wrote:
Bgs writes:
We recently got under a low traffic botnet DDoS attack. All attacker
nodes opened a single tcp session (just SYN part) and then did nothing.
This rules out rate limiting solutions and syncookie doesn't help
either. (Thousands of attacking nodes).
This is simply a SYN flood attack. It may or may not be a botnet (though
saying botnet makes it sound sexier :-) ). A decent SYN flood attack tool
would randomize the source address anyway.
You should try reading the following as a starting point:
http://www.securityfocus.com/infocus/1729
Your second suggestion has been implemented in the TCP/IP stack forever. The
article above gives guidance on how to tune it in a Linux implementation.
Ric
