ddos / no connection tracking / tarpitting

Seferovic Edvin edvin.seferovic at kolp.at
Sat Apr 23 00:12:46 CEST 2005


Hi,

my partner company has implemented a really good DdoS protection that is
able to process more than 3mil packets/sec. Beside of that fact, the
appliance has web interface where you can track the load on your connection
as well as block some ips or ip ranges that are attacking your server. If
you are interested, I could send you a information folder.

Regards,

Edvin Seferovic

-----Original Message-----
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of R. DuFresne
Sent: Freitag, 22. April 2005 23:13
To: Taylor Grant
Cc: Vic N; netfilter at lists.netfilter.org
Subject: Re: ddos / no connection tracking / tarpitting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


the only way to really survive a ddos without affecting connectivity in 
any shapoe or form is to have a bigger pipe then the other end<s> does. 
idiots trying to ddos from a cable connection or dialup are not a problem 
and sufferable.  Those a tad higher in technical advancement with a bot 
net and tousands of zomies to attack from are likely to bring even the 
biggest pipes to a dead halt, at least getting in and our of the firewall 
gateway is impossible.  Traffic on the inside should be unaffected.

I've suffered attacks with a firewall not doing connection tracking and 
had no problems with either the firewall failing or suffereing a reboot. 
I have yet to suffer such an attack on a staeful firewall, but tend to 
think I should suffer no less with such a firewall in place as apposed to 
an the older mere packet filters I've been replacing over time.  Course, 
it helps to have enough RAM in the firewall in the firstplace...

pipes size and RAM, them be the keys to surviival.

Thanks,

Ron DuFresne

On Fri, 22 Apr 2005, Taylor Grant wrote:

>> A while ago I saw an iptables solution that was able to serve as an 
>> effective anti-ddos solution.   I didn't get to see under the hood, but 
>> the creator told me that the solution was essentially an iptables 
>> implementation with no connection tracking built in.  Allegedly, the fact

>> that no connection tracking was used enabled the the iptables to deal
with 
>> a much higher volume of traffic w/o crashing.  He had also mentioned
using 
>> packet counting (to count packets as they passed through since there was 
>> no way to keep track of them otherwise) and using tarpitting.
>> 
>> While I can't attest to what the person told me, I do know the firewall 
>> was soaking up ddos traffic that was otherwise bringing servers to their 
>> knees with the use of regular connection-based firewalling.
>> 
>> So my question is, is this the basic element of building a good anti-ddos

>> solution wtih iptables to address a *large* volume of ddos traffic to 
>> build iptables w/o connection tracking?
>> 
>> Thanks,
>
> Yes this is possible and (I think) fairly easy to do.  As I have never
done 
> this I can not tell you for sure, but this is what I would do if I were to
do 
> such a thing.
>
> I will presume that you are wanting to drop all traffic to a specif port
on 
> an IP address for the sake of this discussion.
>
> iptables -t raw -A PREROUTING -d 1.2.3.4 -p tcp --dport 5678 -j NOTRACK
> iptables -t filter -A FORWARD -d 1.2.3.4 -p tcp --dport 5678 -j TARPIT
>
> This will cause any traffic that comes in that is distend to 1.2.3.4 on
port 
> 5678 to  NOT be tracked with the connecting tracking sub system and to 
> subsequently be redirected to the TARPIT target.
>
>
>
> Grant. . . .
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCaWjtst+vzJSwZikRAu6hAJ496gLuwc31uc2uiCNXzbk3AMA1SQCdEXNI
VfK1Yh+17fGQV6Qb6gRF8Zc=
=sgu8
-----END PGP SIGNATURE-----





More information about the netfilter mailing list