1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

IPTables Anti DDoS Rules

Discussion in 'Security' started by infinitnet, Apr 19, 2016.


Did you ever successfully used iptables to mitigate DDoS?

  1. Yes!

  2. Only worked partially

    0 vote(s)
  3. No luck

  4. I never tried

  1. #1
    What are the best anti DDoS rules for IPTables in your opinion? Has anyone tried the rules mentioned here and if so, how effective were they?

    I'm interested in your experiences with mitigating DDoS using IPTables and which rules you used to mitigate attacks of what size.
    infinitnet, Apr 19, 2016 IP
  2. Puntocom81

    Puntocom81 Banned

    Likes Received:
    Best Answers:
    Trophy Points:
    Drop policy, don't do ping replies. Anyway a "good" DDoS will need assistance from your provider.
    Puntocom81, Apr 19, 2016 IP
  3. infinitnet

    infinitnet Member

    Likes Received:
    Best Answers:
    Trophy Points:
    Well, say you got a 10Gbit/s server. You could then in theory mitigate most DDoS attacks directly on your server, if the iptables rules work well enough. So I wonder if the rules from the article mentioned in the OP would be good for that.
    infinitnet, Apr 20, 2016 IP
  4. PoPSiCLe

    PoPSiCLe Illustrious Member

    Likes Received:
    Best Answers:
    Trophy Points:
    An _actual_ 10GB/s bandwidth on the server means the host has at least 10 times that (or only hosts that one single server) - unless you're paying for your own Container-setup, the likelyhood of you having 10GB/s for your server alone is slim to none. Most of the time, even on relatively expensive VPS-services, you'll share a 1GB/s external bandwidth with at least a full stack of servers, with 10, or maybe 100GB/s internal stack.
    PoPSiCLe, Apr 20, 2016 IP
  5. DigitalPoint Forums

    DigitalPoint Forums Peon

    Likes Received:
    Best Answers:
    Trophy Points:
    re iptables for ddos:
    - you will need a good set of IPTables rules
    - you will need a linux distro with iptables and Tarpit support
    - you will need a automated way to post-process incoming traffic
    - you will need to define legitamate traffic vs ddos attacks

    we use IPtables with tarpits to defend servers against incoming
    tcp-based ddos attacks. "Tarpit" is the key where the attacking botnet
    will be held up indefinitely for each outgoing tcp packet they send out
    which should crash their kernel stack. You can easily tarpit
    gigabit, 10gigE, 100gigE of tcp-based DDoS attacks with 100gigE PCI cards.

    to defend against UDP-based ddos attacks or ICMP-based ddos attacks,
    you'd need to get the assistance of your ISP to block or limit it
    at the ISP ... you cannot stop, cannot block, cannot mitigate, cannot
    prevent, cannot /dev/null ( RTBH ) the incoming UDP-based or ICMP-based
    ddos attacks at your servers.

    If your servers see the DDoS packets, the ddos has already occurred
    which used your internet banwidth connectivity, used your cpu/memory/disk
    and your limited and precious time.

    for iptables rules, everybody has their preferred rules. Some important
    points are: a) iptables are first matching rule wins; b) you should know
    what protocols and what ports are required for the server you are trying
    to protect against the incoming ddos attacks

    there are 65,535 ports to protect against DDoS attacks, NOT just ssh/apache/smtp/etc

    Lots of example iptables rules; http://iptables-bl.net/Howto/
    Note that most example rules ( howto's ) are severely incomplete examples.

    Additionally, you will need a way to collect your traffic usage
    and dynamically tarpit the ddos attackers; http://bandwidth-hogs.net.
    Nobody can visually and manually look at the 100,000packets/sec or 100,000,000
    packet/second and figure out if it's a DDoS packet or not.
    ( 100,000 packet/sec * 1500byte/packet == 150 MB/sec == 1.2Gbit/sec )

    Easiest way is to use
    tcpdump and post process accordingly. How you build/maintain/defend
    your servers will determine which port connections are legitimate
    connectivity vs DDoS attacks.
    WebServers should only allow ssh from YOUR fixed IP# and port 80 connections.
    MailServers should only allow ssh from YOUR fixed IP# and port 25 connections.

    magic pixie dust ... fun w/ iptables + tarpits ..
    DigitalPoint Forums, Apr 23, 2016 IP
  6. imort

    imort Peon

    Likes Received:
    Best Answers:
    Trophy Points:
    You can deploy some basic rules of 'common sense' like forbid ping requests, allow SSH only for some IP, so on. You can look here for some examples: https://serversuit.com/community/technical-tips/view/easy-setup-of-iptables-on-your-new-linux-server.html
    fail2ban also can be useful actually, it can be configured to ban many other applications other than SSH.

    But if you're talking about any real DDoS there is not much you can do.
    If DDoS can just utilize your uplink to 100% any iptables rules can't do anything with it :)
    If there are a mass HTTP requests to your site, it's the same deal: you can't differ a legacy connection from DDOS one.
    You can try to use geoIP ban tool, but it's not a universal solution.

    Maybe you can purchase a CloudFlare account, if you plan to face DDoS on your server?
    imort, May 12, 2016 IP