max-src-conn-rate (Connection rate throttling per IP)
Benoit Panizzon
benoit.panizzon at imp.ch
Tue Aug 30 14:40:55 CEST 2005
Hi all
I'm looking for a way to prevent connection DOSing of specific services.
The goal is to count the connection rate per conneting ip and then reject
those connections if they pass a certain limit.
It looks like OpenBSD's pf is the only packet filter (except some commerctial
Firewalls) which has this ability.
The best I managed with iptables is to throttle the connection rate for a
specific port, but this of course affecs normal users trying to use that
service and does not change the fact of the service being DOSed.
The other possibility I found is to write my own userspace QUEUE target
connection rate tracker via the iptables api. But as I'm not a programmer and
I think this is a quite common request I just wonder:
Hasn't allready somebody written such a per source connection rate limmiter?
Is there a repository of different userspace QUEUE tools where I could find
something similar?
Regards
--
Benoît Panizzon, <bp at imp.ch>
------------------------------------------------------------------------
ImproWare AG, UNIXSP & ISP Phone: +41 61 826 93 00
Kabelinternet-Hotline: +41 61 826 93 07
Zurlindenstrasse 29 Fax: +41 61 826 93 01
CH-4133 Pratteln Net: http://www.imp.ch/
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20050830/460a0388/attachment.bin
More information about the netfilter
mailing list