What are the best anti DDoS rules for IPTables in your opinion? Has anyone tried the rules mentioned here and if so, how effective were they? I'm interested in your experiences with mitigating DDoS using IPTables and which rules you used to mitigate attacks of what size.
Well, say you got a 10Gbit/s server. You could then in theory mitigate most DDoS attacks directly on your server, if the iptables rules work well enough. So I wonder if the rules from the article mentioned in the OP would be good for that.
An _actual_ 10GB/s bandwidth on the server means the host has at least 10 times that (or only hosts that one single server) - unless you're paying for your own Container-setup, the likelyhood of you having 10GB/s for your server alone is slim to none. Most of the time, even on relatively expensive VPS-services, you'll share a 1GB/s external bandwidth with at least a full stack of servers, with 10, or maybe 100GB/s internal stack.
re iptables for ddos: - you will need a good set of IPTables rules - you will need a linux distro with iptables and Tarpit support - you will need a automated way to post-process incoming traffic - you will need to define legitamate traffic vs ddos attacks we use IPtables with tarpits to defend servers against incoming tcp-based ddos attacks. "Tarpit" is the key where the attacking botnet will be held up indefinitely for each outgoing tcp packet they send out which should crash their kernel stack. You can easily tarpit gigabit, 10gigE, 100gigE of tcp-based DDoS attacks with 100gigE PCI cards. to defend against UDP-based ddos attacks or ICMP-based ddos attacks, you'd need to get the assistance of your ISP to block or limit it at the ISP ... you cannot stop, cannot block, cannot mitigate, cannot prevent, cannot /dev/null ( RTBH ) the incoming UDP-based or ICMP-based ddos attacks at your servers. If your servers see the DDoS packets, the ddos has already occurred which used your internet banwidth connectivity, used your cpu/memory/disk and your limited and precious time. for iptables rules, everybody has their preferred rules. Some important points are: a) iptables are first matching rule wins; b) you should know what protocols and what ports are required for the server you are trying to protect against the incoming ddos attacks there are 65,535 ports to protect against DDoS attacks, NOT just ssh/apache/smtp/etc Lots of example iptables rules; http://iptables-bl.net/Howto/ Note that most example rules ( howto's ) are severely incomplete examples. Additionally, you will need a way to collect your traffic usage and dynamically tarpit the ddos attackers; http://bandwidth-hogs.net. Nobody can visually and manually look at the 100,000packets/sec or 100,000,000 packet/second and figure out if it's a DDoS packet or not. ( 100,000 packet/sec * 1500byte/packet == 150 MB/sec == 1.2Gbit/sec ) Easiest way is to use tcpdump and post process accordingly. How you build/maintain/defend your servers will determine which port connections are legitimate connectivity vs DDoS attacks. WebServers should only allow ssh from YOUR fixed IP# and port 80 connections. MailServers should only allow ssh from YOUR fixed IP# and port 25 connections. magic pixie dust ... fun w/ iptables + tarpits .. http://DDoS-Mitigator.net
You can deploy some basic rules of 'common sense' like forbid ping requests, allow SSH only for some IP, so on. You can look here for some examples: https://serversuit.com/community/technical-tips/view/easy-setup-of-iptables-on-your-new-linux-server.html fail2ban also can be useful actually, it can be configured to ban many other applications other than SSH. But if you're talking about any real DDoS there is not much you can do. If DDoS can just utilize your uplink to 100% any iptables rules can't do anything with it If there are a mass HTTP requests to your site, it's the same deal: you can't differ a legacy connection from DDOS one. You can try to use geoIP ban tool, but it's not a universal solution. Maybe you can purchase a CloudFlare account, if you plan to face DDoS on your server?