ddos / no connection tracking / tarpitting
opie at 817west.com
Fri Apr 22 06:32:22 CEST 2005
On Thu, Apr 21, 2005 at 09:19:43PM -0700, Vic N wrote:
> A while ago I saw an iptables solution that was able to serve as an
> effective anti-ddos solution. I didn't get to see under the hood, but the
> creator told me that the solution was essentially an iptables
> implementation with no connection tracking built in. Allegedly, the fact
> that no connection tracking was used enabled the the iptables to deal with
> a much higher volume of traffic w/o crashing. He had also mentioned using
> packet counting (to count packets as they passed through since there was no
> way to keep track of them otherwise) and using tarpitting.
> While I can't attest to what the person told me, I do know the firewall was
> soaking up ddos traffic that was otherwise bringing servers to their knees
> with the use of regular connection-based firewalling.
> So my question is, is this the basic element of building a good anti-ddos
> solution wtih iptables to address a *large* volume of ddos traffic to build
> iptables w/o connection tracking?
that...or installing openbsd.
"Psychiatrist: Does Stewie have a history of violence?
Lois: Oh no, this is Stewie's first violent act.
Stewie: Actually, my first violent act involved that ticking time bomb
that I left in your uterus when I left. Happy 50th Birthday, Lois."
More information about the netfilter