ddos / no connection tracking / tarpitting

R. DuFresne dufresne at sysinfo.com
Fri Apr 22 23:13:13 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


the only way to really survive a ddos without affecting connectivity in 
any shapoe or form is to have a bigger pipe then the other end<s> does. 
idiots trying to ddos from a cable connection or dialup are not a problem 
and sufferable.  Those a tad higher in technical advancement with a bot 
net and tousands of zomies to attack from are likely to bring even the 
biggest pipes to a dead halt, at least getting in and our of the firewall 
gateway is impossible.  Traffic on the inside should be unaffected.

I've suffered attacks with a firewall not doing connection tracking and 
had no problems with either the firewall failing or suffereing a reboot. 
I have yet to suffer such an attack on a staeful firewall, but tend to 
think I should suffer no less with such a firewall in place as apposed to 
an the older mere packet filters I've been replacing over time.  Course, 
it helps to have enough RAM in the firewall in the firstplace...

pipes size and RAM, them be the keys to surviival.

Thanks,

Ron DuFresne

On Fri, 22 Apr 2005, Taylor Grant wrote:

>> A while ago I saw an iptables solution that was able to serve as an 
>> effective anti-ddos solution.   I didn't get to see under the hood, but 
>> the creator told me that the solution was essentially an iptables 
>> implementation with no connection tracking built in.  Allegedly, the fact 
>> that no connection tracking was used enabled the the iptables to deal with 
>> a much higher volume of traffic w/o crashing.  He had also mentioned using 
>> packet counting (to count packets as they passed through since there was 
>> no way to keep track of them otherwise) and using tarpitting.
>> 
>> While I can't attest to what the person told me, I do know the firewall 
>> was soaking up ddos traffic that was otherwise bringing servers to their 
>> knees with the use of regular connection-based firewalling.
>> 
>> So my question is, is this the basic element of building a good anti-ddos 
>> solution wtih iptables to address a *large* volume of ddos traffic to 
>> build iptables w/o connection tracking?
>> 
>> Thanks,
>
> Yes this is possible and (I think) fairly easy to do.  As I have never done 
> this I can not tell you for sure, but this is what I would do if I were to do 
> such a thing.
>
> I will presume that you are wanting to drop all traffic to a specif port on 
> an IP address for the sake of this discussion.
>
> iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j NOTRACK
> iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT
>
> This will cause any traffic that comes in that is distend to 1.2.3.4 on port 
> 5678 to  NOT be tracked with the connecting tracking sub system and to 
> subsequently be redirected to the TARPIT target.
>
>
>
> Grant. . . .
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCaWjtst+vzJSwZikRAu6hAJ496gLuwc31uc2uiCNXzbk3AMA1SQCdEXNI
VfK1Yh+17fGQV6Qb6gRF8Zc=
=sgu8
-----END PGP SIGNATURE-----



More information about the netfilter mailing list