Using -m limit to stop outbound portscanning viruses
ramoni at databras.com.br
Sat Feb 5 23:50:45 CET 2005
Here, I'm using -m recent to avoid DoS attacks.
From the same source IP, I only permit 3 new connections each 5 seconds to my
mail ports. (control ir for each, not both)
On Saturday 05 February 2005 20:37, Mike Ireton wrote:
> Howdy list,
> I'm concerned about portscanning viruses which have infected customer
> machines and are using all of that subscribers outbound to scan for
> (say) open port 445's all over the net. This isn't good for the wireless
> and tends to use up substantial resources in disproportion to the amount
> of data actually being moved. I have control over all my subscriber's
> CPE gear (running a custom embedded linux distro) and I am considering
> including an outbound firewalling feature to slow the rate at which new
> connections can be established. Basiclly, I want to ratelimit outbound
> syn's to some sane number (5/sec to start). I already have qos and
> bandwidth control in place at the cpe side, but this job is more
> 'packets per second' oriented than 'bytes per second'.
> I've looked at various cookbook examples of using '-m limit 5/s' and did
> rules like '-p tcp --tcp-flags SYN -m limit --limit 5/s -j DROP', but I
> effectively cut myself off and couldn't make any connections at all.
> Does anyone have a code snippet that could share which would do this job
> for me?
More information about the netfilter