It seems MT is setting up rate limits like: dst-limit=32,32,src-and-dst-addresses/10s
and then adding them to a blacklist which the firewall queries, or routing them to a tarpit like: connection-limit=3,32 action=tarpit to hopefully slow them down. Or limit SYN connections like: tcp-flags=syn limit=400,5 But you could do the same with a combination of iptables, kernel mods, and SYNPROXY that would rate limit, but also block a host malformed packets, spoofing, establish whether you’re just getting hit with bogus SYN, etc. So in a way, native kernel + iptables has a more full-featured set of tools than MT? You could also extend this as needed, rather than waiting for MT to get around to it. You could buy a really expensive appliance, but they’d be largely doing the same things, so is there some other secret sauce they have that stops DDoS in interesting ways? It seems like this would cost less than a Lexus. I guess a commercial appliance would have a nice GUI that would be expensive and time-consuming to build, which I don’t care about, I’d mostly monitor through centralized syslog and then just watch that enterprise-wide to see problems, which we’re already doing in other contexts. > Depending on what you are trying to do, MT can do that, it's just a matter of > creating the firewall rules. :) > -----Original Message—— > From: Af [mailto:[email protected]] On Behalf Of Paul Stewart > Sent: Tuesday, July 18, 2017 8:27 PM > To: [email protected] > Subject: Re: [AFMUG] DIY DDoS box with iptables? > I guess it depends on what you are trying to accomplish here ?. are you > looking to scrub the traffic clean or just block dirty traffic? > How will > you determine what traffic is dirty and apply rules on the fly? > Sorry - many questions come to mind here and don?t mean to sound negative but > it seriously comes down to expectations. I?m > aware of one company that > I?ve seen that built their own - they spent three years developing it to > their needs with 4 developers > working on nothing but it ? at the end of the > day they spend more money than just buying an Arbor system and still spend > > considerable dollars trying to maintain it ?. > On Jul 18, 2017, at 5:21 PM, Dev <[email protected]> wrote: > > What is the feasibility of building a DDoS protection box out of a bare Linux > server running a dual-10G/40G NIC inline with iptables handling junk traffic, > and then a third eth for management? Seems like the 10G/40G card could help > scrub traffic before it hits your core? Has anyone built one? I?ve heard > about CCR?s, but my experience with MT has been...weird, they just do weird > stuff from time to time, YMMV, etc. etc., but I?ve had better luck with Cisco > and the usual suspects. It seems like a purpose built vanilla Linux box would > be easily upgradeable, universally supported with vanilla kernel support, > etc. and you could just tweak stuff until you got it dialed, no?
