ddos / no connection tracking / tarpitting

Jason Opperisano opie at 817west.com
Fri Apr 22 06:32:22 CEST 2005


On Thu, Apr 21, 2005 at 09:19:43PM -0700, Vic N wrote:
> A while ago I saw an iptables solution that was able to serve as an 
> effective anti-ddos solution.   I didn't get to see under the hood, but the 
> creator told me that the solution was essentially an iptables 
> implementation with no connection tracking built in.  Allegedly, the fact 
> that no connection tracking was used enabled the the iptables to deal with 
> a much higher volume of traffic w/o crashing.  He had also mentioned using 
> packet counting (to count packets as they passed through since there was no 
> way to keep track of them otherwise) and using tarpitting.
> 
> While I can't attest to what the person told me, I do know the firewall was 
> soaking up ddos traffic that was otherwise bringing servers to their knees 
> with the use of regular connection-based firewalling.
> 
> So my question is, is this the basic element of building a good anti-ddos 
> solution wtih iptables to address a *large* volume of ddos traffic to build 
> iptables w/o connection tracking?

that...or installing openbsd.

-j

--
"Psychiatrist: Does Stewie have a history of violence?
 Lois: Oh no, this is Stewie's first violent act.
 Stewie: Actually, my first violent act involved that ticking time bomb
 that I left in your uterus when I left. Happy 50th Birthday, Lois."
        --Family Guy



More information about the netfilter mailing list