Agreed. Also trying to react to a DDoS could cause you to DoS yourself :) I’ve seen this in hardware appliance firewalls trying to be creative with threat detection/IPS. > On Apr 17, 2024, at 2:05 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > > > >> Am 17.04.24 um 21:43 schrieb William N.: >> I have been searching and reading, and reading... I understand this is >> a huge and complex subject, especially for a non-expert. I read earlier >> discussions on this ML - some answers seem to say it is futile (i.e. >> something that should be done by the ISPs, not by the end clients), >> others suggest there is benefit in doing at least what is possible. So, >> I hope to have some things clarified by the experts here. >> XY: I am trying to do what is right for the network security of a SOHO >> LAN. The nodes are distrusted, i.e. there is no assumption that they >> are/will always be "clean" just because they are on the LAN. >> My questions: >> 1. Is there a point to attempt DoS/DDoS protection directly on the LAN >> nodes (Linux based)? >> 2. What is the right approach (using nftables)? > > you can rate-limit requests but for a real DDOS you have *nothing* on your side - your upstream connection is overloaded and dropping packets will gain you nothing >
