On 2012.06.07 09:59, Jozsef Kadlecsik wrote: > On Thu, 7 Jun 2012, Aidas Kasparas wrote: > >> I have a strange problem with iptables/ipset. I'm under 80Mbps+ SYN >> flood (if to believe hoster's monitoring). Attack is not sofisticated -- >> SYN packet's source address is [pseudo]random, spread more or less >> evenly over all available IPv4 address space (even block E). Idea was to >> drop first SYN packet from every IP address I haven't seen in past 10 >> secs. So, I set up the following setup: >> >> iptables -N firstdrop >> >> iptables -N fd_0; iptables -A firstdrop -s 0.0.0.0/5 -j fd_0 >> iptables -N fd_8; iptables -A firstdrop -s 8.0.0.0/5 -j fd_8 >> ... >> iptables -N fd_216; iptables -A firstdrop -s 216.0.0.0/5 -j fd_216 >> >> ipset create fd_1 hash:ip timeout 10 >> ipset create fd_2 hash:ip timeout 10 >> ... >> ipset create fd_223 hash:ip timeout 10 >> >> iptables -A fd_0 -s 1.0.0.0/8 -m set --match-set fd_1 src -j RETURN; >> iptables -A fd_0 -s 1.0.0.0/8 -j SET --add-set fd_1 src; >> iptables -A fd_0 -s 2.0.0.0/8 -m set --match-set fd_2 src -j RETURN; >> iptables -A fd_0 -s 2.0.0.0/8 -j SET --add-set fd_2 src; >> ... >> iptables -A fd_0 -s 7.0.0.0/8 -m set --match-set fd_7 src -j RETURN; >> iptables -A fd_0 -s 7.0.0.0/8 -j SET --add-set fd_7 src; >> iptables -A fd_8 -s 8.0.0.0/8 -m set --match-set fd_8 src -j RETURN; >> iptables -A fd_8 -s 8.0.0.0/8 -j SET --add-set fd_8 src; >> ... >> iptables -A fd_216 -s 223.0.0.0/8 -m set --match-set fd_223 src -j RETURN; >> iptables -A fd_216 -s 223.0.0.0/8 -j SET --add-set fd_223 src; >> >> iptables -A fd_0 -j DROP >> iptables -A fd_8 -j DROP >> ... >> iptables -A fd_216 -j DROP >> >> iptables -A INPUT -s admin's_IP -j ACCEPT >> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >> iptables -A INPUT -j firstdrop >> >> That works. Legitimate connections goes through. Outgoing traffic drops >> to few megabits, as required for normal operations. >> >> But, after a while (sometimes day, sometimes few hours) no IP addresses >> are added to fd_$i's by these iptables rules. And all the packets become >> DROP'ed. But if I try to add address by ipset command, or by different >> iptables rule -- then these addresses are added to ipsets (not sure, if >> that would work for any and all of them). > > Maybe your given set gets full. From the manpage: > > "When entries added by the SET target of iptables/ip6tables, then the > hash size is fixed and the set won't be duplicated, even if the new > entry cannot be added to the set." > Ok. But if set is full, and I list it, it should show at least some members present. When it stops working, it shows no members at all. On the other hand, I create sets with timeout 10. So, every 3 secs there should be expiration process which trows ~ 1/3 of entries from each chain. And this should make place for some new entries. -- Aidas Kasparas IT administrator GM Consult Group, UAB +370 686 08473 http://www.gmc.lt -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
