DOS Protection

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I'm looking for a way to protect linux/bsd systems from cpu overload due
to a simple UDP Flood. Since I'm looking for a solution, I've just found
nothing efficient.
 Does such protections exists in the system level ?


Re: DOS Protection


Quoted text here. Click to load it

I don't know what you mean by "system level" but you can use iptables
"limit" and/or "recent", perhaps something like this:

iptables -N DDoS
iptables -A DDoS -m limit --limit 16/s --limit-burst 32 -j RETURN
iptables -A DDoS -j LOG    # Optional
iptables -A DDoS -j DROP

iptables -A FORWARD -p udp -j DDoS
iptables -A INPUT -p udp -j DDoS

I've forgotten if this is applicable for UDP, but my line for TCP says
iptables -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
which handles SYN flood.

I also limit new SSH connections with
iptables -A FORWARD -m state --state NEW -m recent --update \
  --seconds 15 -j DROP
iptables -A FORWARD -m state --state NEW -m recent --set -j ACCEPT

Re: DOS Protection

buck wrote:
Quoted text here. Click to load it

Thanks for answer buck.

I've tested Iptables, clearly useless against a 3 lines C code of udp
flood, result: CPU 100%, no answer from the machine, ping timeout
Against a syn-flood same result until you compile the kernel whith the

 Your ssh rules are usefull against ssh brute force, you should add:

I think there is not any way to protect a frontweb linux/BSD router
against these UDP Floods until you add some hardware :(

 Please somebody tell me I'm wrong... (and how ;)


Re: DOS Protection

Quoted text here. Click to load it

It depends on the ratio of your CPU speed to your link bandwidth.
(The efficiency of your software (probably kernel) is the scale factor.)

If you are connected to the bad guys by a 100 megabit link, then
your CPU has to be able to throw away X packets per second where
X in 100 megabits divided by the min packet length.

How big a link do you have to the bad guys and how big a CPU
do you have?  Are you close?

Adding iptables may slow things down.  You have to run through
iptables as well as all the normal code.  I think it would help
if iptables in faster than the rest of the normal processing.
(Remember you have already taken an interrupt and figured out
that you have a packet to process.)

You could put another machine in between the bad guys and the
machine you want to protect.  Yes, that's "add some hardware".
How about a 10 Mbit switch instead of a 100 Mbit link?
That's just making the link to the bad guys slower.

These are my opinions, not necessarily my employer's.  I hate spam.

Re: DOS Protection

Hal Murray wrote:
Quoted text here. Click to load it

 100%  agree with you
 A 10Mbit switch is a fun idea :)

 Tests have been done with cheap VIA C7 2 Ghz on 100Mbit link.

 I can drop all the UDP in iptable, still the same problem :(
 Tried to change buffers sizes, it's just adds little time before the
final out of order.


Re: DOS Protection

Assuming you can "handle" the UDP flood, how will you handle the black
hats flooding the bandwidth capacity of your link? 'Bot networks,
usually used to send spam can easily be used to mount a flood attack on
an IP address, inhibiting legitimate traffic.

Phil Sherman

Hal Murray wrote:
Quoted text here. Click to load it

Site Timeline