ddos / no connection tracking / tarpitting
dufresne at sysinfo.com
Fri Apr 22 23:13:13 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
the only way to really survive a ddos without affecting connectivity in
any shapoe or form is to have a bigger pipe then the other end<s> does.
idiots trying to ddos from a cable connection or dialup are not a problem
and sufferable. Those a tad higher in technical advancement with a bot
net and tousands of zomies to attack from are likely to bring even the
biggest pipes to a dead halt, at least getting in and our of the firewall
gateway is impossible. Traffic on the inside should be unaffected.
I've suffered attacks with a firewall not doing connection tracking and
had no problems with either the firewall failing or suffereing a reboot.
I have yet to suffer such an attack on a staeful firewall, but tend to
think I should suffer no less with such a firewall in place as apposed to
an the older mere packet filters I've been replacing over time. Course,
it helps to have enough RAM in the firewall in the firstplace...
pipes size and RAM, them be the keys to surviival.
On Fri, 22 Apr 2005, Taylor Grant wrote:
>> A while ago I saw an iptables solution that was able to serve as an
>> effective anti-ddos solution. I didn't get to see under the hood, but
>> the creator told me that the solution was essentially an iptables
>> implementation with no connection tracking built in. Allegedly, the fact
>> that no connection tracking was used enabled the the iptables to deal with
>> a much higher volume of traffic w/o crashing. He had also mentioned using
>> packet counting (to count packets as they passed through since there was
>> no way to keep track of them otherwise) and using tarpitting.
>> While I can't attest to what the person told me, I do know the firewall
>> was soaking up ddos traffic that was otherwise bringing servers to their
>> knees with the use of regular connection-based firewalling.
>> So my question is, is this the basic element of building a good anti-ddos
>> solution wtih iptables to address a *large* volume of ddos traffic to
>> build iptables w/o connection tracking?
> Yes this is possible and (I think) fairly easy to do. As I have never done
> this I can not tell you for sure, but this is what I would do if I were to do
> such a thing.
> I will presume that you are wanting to drop all traffic to a specif port on
> an IP address for the sake of this discussion.
> iptables -t raw -A PREROUTING -d 220.127.116.11 -p tcp --dport 5678 -j NOTRACK
> iptables -t filter -A FORWARD -d 18.104.22.168 -p tcp --dport 5678 -j TARPIT
> This will cause any traffic that comes in that is distend to 22.214.171.124 on port
> 5678 to NOT be tracked with the connecting tracking sub system and to
> subsequently be redirected to the TARPIT target.
> Grant. . . .
admin & senior security consultant: sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the netfilter