On Mon, 8 Jun 2015 07:02:12 -0700 (PDT) alvin <alvin.sm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > hi neal > > > On Sun, 7 Jun 2015 08:04:40 -0700 (PDT) > .... > > > even if the src IP# might be spoof'd, you, i still do NOT want > > > those incoming DDoS attacks coming in at 1,000 or 10,000 packets > > > per second > > > > Yes, 1000 rules is a little overboard. > > and if there's 10,000 iptables rules, it's galacticly overboard ? > > - it was also a test to see if iptables would fail > and it didnt seem to break iptables A few years ago, I tested iptables and a similar program. I used each to add 250 000 rules (don't remember if I tried 1M). I found they had to be added in batches of 15 000 to 20 000. (And it turned out that the other program took about 5% less time than iptables to complete.) > ... > my other iptables todo would be to AutoExpire the DDoS attackers > to minimize the list of active ddos attackers ... manually deleting > the attackers that went away is for the birds :-) IIRC, ipset has a way to auto-expire entries; I think it is a set setting. N -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
