On Monday 16 June 2003 10.45, Ralf Hildebrandt wrote: > * Henrik Nordstrom <[EMAIL PROTECTED]>: > > > So I thought iptables --limit could do the trick. > > > Before I reinvent the whell, I'd like to ask if someone already > > > has such a "connection rate limiter per IP" in place (and how > > > it looks). > > > > iptables -m limit should handle such case nicely, but you will > > need one rule per client IP address... Something like the > > following should work I think: > > > > -N SYN > > -A SYN -s ip.of.first.client -m limit --limit ... -j ACCEPT > > -A SYN -s ip.of.second.client -m limit --limit ... -j ACCEPT > > .... > > -A SYN -m limit ... -j LOG --log-prefix "SYNRATE " > > -A SYN -j DROP > > -A INPUT -p tcp --syn -J SYN > > Yes, but this requires identifying the evil client.
Yes, which usually is not a problem if you are running a proxy as you then have a limited source network, but is a problem if you are running an accelerator. If you are running an accelerator then you probably want to build an approximation table of the Internet IP addresses by using a two level filter structure. First a filter on 'class C' level (third octet of the IP address) detecting networks with abnormally high traffic, and then a more detailed filter on 'host level' (fourth octet of the IP address) approximating which IP addresses within those networks is flooding you. Such design keeps the table size small (2 * 256) while still giving a good filter ratio with not too many false negatives. Note: The filter divisions does not need to be octet(256) based. You can apply any masks you like to the IP addresses. Regarding SYN flood protection: The correct place to implement SYN flood protections is in the kernel by enabling SYN cookies etc. The problem you described is technically a variant of connection flooding which is a somewhat broader issue. To address connection flooding you need to combine application level filters (i.e. max_conn acl type) and packet level filters. Packet level filters can trap abusers who try to set up sessions more rapidly than the application can handle, and application level filters trap abusers who tries to set up more sessions than the application can handle. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
