max-src-conn-rate (Connection rate throttling per IP)
vnull at pcnet.com.pl
Tue Aug 30 14:59:21 CEST 2005
Dnia wtorek, 30 sierpnia 2005 14:40, Benoit Panizzon napisał:
> Hi all
> I'm looking for a way to prevent connection DOSing of specific services.
> The goal is to count the connection rate per conneting ip and then reject
> those connections if they pass a certain limit.
> It looks like OpenBSD's pf is the only packet filter (except some
> commerctial Firewalls) which has this ability.
> The best I managed with iptables is to throttle the connection rate for a
> specific port, but this of course affecs normal users trying to use that
> service and does not change the fact of the service being DOSed.
> The other possibility I found is to write my own userspace QUEUE target
> connection rate tracker via the iptables api. But as I'm not a programmer
> and I think this is a quite common request I just wonder:
> Hasn't allready somebody written such a per source connection rate
Have you tried hashlimit ?
ex1. ( not tested ):
# seems that hashlimit doesn't support negation ( "!" )
# example way to achieve the same result:
iptables -t raw -N ANTIDOS
iptables -t raw -A ANTIDOS -m hashlimit --hashlimit 5/s \
--hashlimit-name limitDoS --hashlimit-mode srcip,dstport -j ACCEPT
iptables -t raw -A ANTIDOS -j DROP
iptables -t raw -A PREROUTING -i eth0 -p tcp --syn -j ANTIDOS
Another idea is to add "bad" IPs to recent list and then drop all traffic from
them for example for 12 hours.
You could also use connlimit.
More information about the netfilter