ddos / no connection tracking / tarpitting

Taylor Grant gtaylor at riverviewtech.net
Fri Apr 22 07:22:46 CEST 2005

> A while ago I saw an iptables solution that was able to serve as an 
> effective anti-ddos solution.   I didn't get to see under the hood, but 
> the creator told me that the solution was essentially an iptables 
> implementation with no connection tracking built in.  Allegedly, the 
> fact that no connection tracking was used enabled the the iptables to 
> deal with a much higher volume of traffic w/o crashing.  He had also 
> mentioned using packet counting (to count packets as they passed through 
> since there was no way to keep track of them otherwise) and using 
> tarpitting.
> While I can't attest to what the person told me, I do know the firewall 
> was soaking up ddos traffic that was otherwise bringing servers to their 
> knees with the use of regular connection-based firewalling.
> So my question is, is this the basic element of building a good 
> anti-ddos solution wtih iptables to address a *large* volume of ddos 
> traffic to build iptables w/o connection tracking?
> Thanks,

Yes this is possible and (I think) fairly easy to do.  As I have never done this I can not tell you for sure, but this is what I would do if I were to do such a thing.

I will presume that you are wanting to drop all traffic to a specif port on an IP address for the sake of this discussion.

iptables -t raw -A PREROUTING -d -p tcp --dport 5678 -j NOTRACK
iptables -t filter -A FORWARD -d -p tcp --dport 5678 -j TARPIT

This will cause any traffic that comes in that is distend to on port 5678 to  NOT be tracked with the connecting tracking sub system and to subsequently be redirected to the TARPIT target.

Grant. . . .

More information about the netfilter mailing list