[bf1942] Stopping DDoS

Reinder P. Gerritsen reinder at strikerz.net
Wed Feb 12 04:39:24 EST 2003 

For killing off DDoS synflood alikes, the "Recent" module is a great
tool to protect your server.
However, this needs some tweaking and testing, and the effect on your IP
stack is... Somewhat nasty to say the least. Ping time on my web box
rised from 20~30 to 80ms. After I activated this. I'm still thinking of
deactivate by default, and having a cronjob to check incomming amounts
every once in a while to fire up the protection when shit hits the fan,
but that requires some more thinking befor I implement.

I have a permanent syn-protection with Syncookies, and some -recent
rules to filter out any hi count syn requests.
Roughly think of it as the following (non syntax) structure:
---------------------------------------------------------
Check the incoming IP agains the "recent-list" 
	If the ip is registered, Update the expiration 
	by setting time to 10 minutes (e.g.) then deny.
Check number of incoming syn packets with limit, if 
	it's over a certain rate.
	If this treshold is exceeded, go to a sub chain, 
	check again if the treshold is reached by a 
	particular IP register that IP in the list with 
	an expiration for 10 minutes, Deny further trafic.
---------------------------------------------------------
Result is that once triggered a registration on the netfilter,
The expiration will be reset to 10 minutes every attempt the 
Suspected box is attempting a connection, effectively requiring
The atteack suspect to shut up for at least 10 minutes before 
It can succesfully start another connection.

Ofcause, after finetuning you can decide that anything that is 
triggering the alarm just has to be bas, and deny it for 24 hours,
But I believe your recent-list history defaults to about 100 IP's
And widening this list results in quite some performance loss.

Put this situation almost on top of your firewall/netfilter.
(always's remember to state one or 2 IP's (from the administrators) 
as "allow" befor this rule. So that you will not be victim of your
own protection.)

> -----Original Message-----
> From: Scratch Monkey [mailto:ScratchMonkey at SewingWitch.com] 
> Sent: Wednesday, February 12, 2003 10:05 AM
> To: bf1942 at icculus.org
> Subject: [bf1942] Stopping DDoS
> 
> 
> --On Wednesday, February 12, 2003 9:34 AM +0100 Peter Norin 
> <peter.norin at songnetworks.se> wrote:
> 
> > tho the nice thing about linux in this case is iptables.
> > 
> > iptables -A input_chain -j ACCEPT -p udp --dport 23000 -m limit 
> > --limit 1/s
> 
> Oh, cool! I forgot that netfilter (the package iptables 
> belongs to) includes some limiter modules.
> 
http://www.netfilter.org/

More information about the Bf1942 mailing list