On Sun, 7 Jun 2015 08:04:40 -0700 (PDT) alvin <alvin.sm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > hi netfilter ml > > i was curious, > > does anybody know which ddos appliances uses IPtables to > mitigate incoming ddos attacks ? > > ---- > > in the past few years, i've tarpit'd about 10,000 IP# of DDoS > attackers on a little ole box ( EPIA-800 w/ 1GB of memory ) and it > barely can handle the load ... but than again, 10,000 iptables > entries is fairly steep and semi-ridiculous :-) > > http://networknightmare.net/Tarpits/#Install > > even if the src IP# might be spoof'd, you, i still do NOT want those > incoming DDoS attacks coming in at 1,000 or 10,000 packets per second Yes, 1000 rules is a little overboard. Have you tried ipset? Last I knew, it becomes more efficient than individual rules when there are more than 16 IPs to check. N -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
