ddos / no connection tracking / tarpitting

Vic N vic778 at hotmail.com
Fri Apr 22 06:19:43 CEST 2005

A while ago I saw an iptables solution that was able to serve as an 
effective anti-ddos solution.   I didn't get to see under the hood, but the 
creator told me that the solution was essentially an iptables implementation 
with no connection tracking built in.  Allegedly, the fact that no 
connection tracking was used enabled the the iptables to deal with a much 
higher volume of traffic w/o crashing.  He had also mentioned using packet 
counting (to count packets as they passed through since there was no way to 
keep track of them otherwise) and using tarpitting.

While I can't attest to what the person told me, I do know the firewall was 
soaking up ddos traffic that was otherwise bringing servers to their knees 
with the use of regular connection-based firewalling.

So my question is, is this the basic element of building a good anti-ddos 
solution wtih iptables to address a *large* volume of ddos traffic to build 
iptables w/o connection tracking?


More information about the netfilter mailing list