IPTables Anti DDoS Rules

What are the best anti DDoS rules for IPTables in your opinion? Has anyone tried the rules mentioned here and if so, how effective were they?

I'm interested in your experiences with mitigating DDoS using IPTables and which rules you used to mitigate attacks of what size.

 

Drop policy, don't do ping replies. Anyway a "good" DDoS will need assistance from your provider.

 

Well, say you got a 10Gbit/s server. You could then in theory mitigate most DDoS attacks directly on your server, if the iptables rules work well enough. So I wonder if the rules from the article mentioned in the OP would be good for that.

 

An _actual_ 10GB/s bandwidth on the server means the host has at least 10 times that (or only hosts that one single server) - unless you're paying for your own Container-setup, the likelyhood of you having 10GB/s for your server alone is slim to none. Most of the time, even on relatively expensive VPS-services, you'll share a 1GB/s external bandwidth with at least a full stack of servers, with 10, or maybe 100GB/s internal stack.

 

re iptables for ddos:
- you will need a good set of IPTables rules
- you will need a linux distro with iptables and Tarpit support
- you will need a automated way to post-process incoming traffic
- you will need to define legitamate traffic vs ddos attacks

we use IPtables with tarpits to defend servers against incoming
tcp-based ddos attacks. "Tarpit" is the key where the attacking botnet
will be held up indefinitely for each outgoing tcp packet they send out
which should crash their kernel stack. You can easily tarpit
gigabit, 10gigE, 100gigE of tcp-based DDoS attacks with 100gigE PCI cards.

to defend against UDP-based ddos attacks or ICMP-based ddos attacks,
you'd need to get the assistance of your ISP to block or limit it
at the ISP ... you cannot stop, cannot block, cannot mitigate, cannot
prevent, cannot /dev/null ( RTBH ) the incoming UDP-based or ICMP-based
ddos attacks at your servers.

If your servers see the DDoS packets, the ddos has already occurred
which used your internet banwidth connectivity, used your cpu/memory/disk
and your limited and precious time.

for iptables rules, everybody has their preferred rules. Some important
points are: a) iptables are first matching rule wins; b) you should know
what protocols and what ports are required for the server you are trying
to protect against the incoming ddos attacks

there are 65,535 ports to protect against DDoS attacks, NOT just ssh/apache/smtp/etc

Lots of example iptables rules; http://iptables-bl.net/Howto/
Note that most example rules ( howto's ) are severely incomplete examples.

Additionally, you will need a way to collect your traffic usage
and dynamically tarpit the ddos attackers; http://bandwidth-hogs.net.
Nobody can visually and manually look at the 100,000packets/sec or 100,000,000
packet/second and figure out if it's a DDoS packet or not.
( 100,000 packet/sec * 1500byte/packet == 150 MB/sec == 1.2Gbit/sec )

Easiest way is to use
tcpdump and post process accordingly. How you build/maintain/defend
your servers will determine which port connections are legitimate
connectivity vs DDoS attacks.
WebServers should only allow ssh from YOUR fixed IP# and port 80 connections.
MailServers should only allow ssh from YOUR fixed IP# and port 25 connections.

magic pixie dust ... fun w/ iptables + tarpits ..
http://DDoS-Mitigator.net

 

You can deploy some basic rules of 'common sense' like forbid ping requests, allow SSH only for some IP, so on. You can look here for some examples: https://serversuit.com/community/technical-tips/view/easy-setup-of-iptables-on-your-new-linux-server.html
fail2ban also can be useful actually, it can be configured to ban many other applications other than SSH.

But if you're talking about any real DDoS there is not much you can do.
If DDoS can just utilize your uplink to 100% any iptables rules can't do anything with it
If there are a mass HTTP requests to your site, it's the same deal: you can't differ a legacy connection from DDOS one.
You can try to use geoIP ban tool, but it's not a universal solution.

Maybe you can purchase a CloudFlare account, if you plan to face DDoS on your server?