max-src-conn-rate (Connection rate throttling per IP)

Jakub Wartak vnull at pcnet.com.pl
Tue Aug 30 14:59:21 CEST 2005


Dnia wtorek, 30 sierpnia 2005 14:40, Benoit Panizzon napisał:
> Hi all
>
> I'm looking for a way to prevent connection DOSing of specific services.
>
> The goal is to count the connection rate per conneting ip and then reject
> those connections if they pass a certain limit.
>
> It looks like OpenBSD's pf is the only packet filter (except some
> commerctial Firewalls) which has this ability.
>
> The best I managed with iptables is to throttle the connection rate for a
> specific port, but this of course affecs normal users trying to use that
> service and does not change the fact of the service being DOSed.
>
> The other possibility I found is to write my own userspace QUEUE target
> connection rate tracker via the iptables api. But as I'm not a programmer
> and I think this is a quite common request I just wonder:
>
> Hasn't allready somebody written such a per source connection rate
> limmiter?
>

Have you tried hashlimit ?

ex1. ( not tested ): 

# seems that hashlimit doesn't support negation ( "!" )
# example way to achieve the same result:
iptables -t raw -N ANTIDOS
iptables -t raw -A ANTIDOS -m hashlimit --hashlimit 5/s \
	--hashlimit-name limitDoS --hashlimit-mode srcip,dstport -j ACCEPT
iptables -t raw -A ANTIDOS -j DROP

iptables -t raw -A PREROUTING -i eth0 -p tcp --syn -j ANTIDOS

Another idea is to add "bad" IPs to recent list and then drop all traffic from 
them for example for 12 hours.

You could also use connlimit.

-- 
Jakub Wartak
-vnull
FreeBSD/OpenBSD/Linux/Solaris/Network Administrator



More information about the netfilter mailing list