The Great Jesper, After my post here, I came across your video and slide! I did the download, and probably tonight (UTC -3) I will learn about and implement into my firewalls. I will let you know about that. Thank you! Thiago On Tue, Mar 11, 2014 at 8:19 AM, Jesper Dangaard Brouer <netdev@xxxxxxxxxx> wrote: > On Tue, 11 Mar 2014 04:23:39 -0300 > Thiago Oliveira <cpv.thiago@xxxxxxxxx> wrote: > >> I am looking for to add protection to firewall (IPTABLES based) >> specifically for SYN flood and DDoS attack to start with and, to that >> end, was trawling through the archives of this mailing lists and other >> places Google suggested I visit. >> >> Unfortunately, what I found suggests that there is some debate about >> how best to approach this. >> Specifically, many postings suggest using a 'limit' module or TCP flag >> combinations, but other postingssay that such rules will not help and >> in fact may even themselves act as a kind of internal DoS! > > Yes, unfortunately many of the iptables modules with state, have not > (yet) been optimized for parallel processing (this is work in progress, > at some point they will hopefully all scale and avoid serialization on > their internal state). Note, normal/simple iptables rules without > state is capable of parallel processing. > > >> So my question is, has there been a resolution to this case? Can I >> protect my Linux Firewall using IPTABLES? > > You are in luck. I recently gave a talk on the subject of using > iptables/netfilter to protect against SYN-flood DoS attacks. We have > recently developed a module called SYNPROXY that address this. > > YouTube videos: > https://www.youtube.com/watch?v=BklSqr9t4uA > > Slides: > http://people.netfilter.org/hawk/presentations/devconf2014/ > > Script: > https://github.com/netoptimizer/network-testing/blob/master/iptables/iptables_synproxy.sh > > And extra (not in slides) is that I recently optimized conntrack > new-and-del operations, by implementing "parallel" locking. These > changes will appear in kernel 3.14. > http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/51681 > > I would appreciate if people can test these recent conntrack > optimizations, the kernel code is avail in Pablo's nf-next tree: > > https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/ > > I'm willing to help to provide build kernels for your system, if you > can try/test these changes in production... > > -- > Best regards, > Jesper Dangaard Brouer > MSc.CS, Sr. Network Kernel Developer at Red Hat > Author of http://www.iptv-analyzer.org > LinkedIn: http://www.linkedin.com/in/brouer -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
