ddos / no connection tracking / tarpitting
vic778 at hotmail.com
Fri Apr 22 06:19:43 CEST 2005
A while ago I saw an iptables solution that was able to serve as an
effective anti-ddos solution. I didn't get to see under the hood, but the
creator told me that the solution was essentially an iptables implementation
with no connection tracking built in. Allegedly, the fact that no
connection tracking was used enabled the the iptables to deal with a much
higher volume of traffic w/o crashing. He had also mentioned using packet
counting (to count packets as they passed through since there was no way to
keep track of them otherwise) and using tarpitting.
While I can't attest to what the person told me, I do know the firewall was
soaking up ddos traffic that was otherwise bringing servers to their knees
with the use of regular connection-based firewalling.
So my question is, is this the basic element of building a good anti-ddos
solution wtih iptables to address a *large* volume of ddos traffic to build
iptables w/o connection tracking?
More information about the netfilter