Tuesday, July 19, 2011

what is a good public available iptables script for ddos mitigation?

what is a good public available iptables script for ddos mitigation?

network firewalls ddos
linkimprove this question
edited May 6 at 13:56
AviD♦
9,29811546
asked May 6 at 13:38
banditj
1404

33% accept rate
feedback
3 Answersactiveoldestvotes
up vote
2
down vote
Have a look at the questions on:

how a software application can defend against a DDoS attack
what techniques do advanced firewalls use
as the answers there will give some indication. Basically you can't do it in a device as the distributed nature of the attack means you need to have infrastructure which can cope, which is why DDoS protection services tend to be provided in conjunction with ISPs and depend more on active routing, path restrictions and upstream filtering.

linkimprove this answer
answered May 6 at 17:31
Rory Alsop♦
10.6k2745
feedback
up vote
1
down vote
Sorry, but you cannot effectively guard against modern DDoS attacks with a software firewall running directly on the server. The packet rates can get way too high and/or the packets come in on a valid port which your firewall permits through.

You can do basic rate limiting with iptables. But the first "d" in DDoS stands for "distributed". There are many hosts participating in the attack, and each host may contribute at a low rate, so rate-limiting may not help that much.

That said, if you want a management tool for iptables there are several options. Ubuntu ships with "ufw" -- uncomplicated firewall, and it lives up to its name. For slightly more complex solutions, I like Shorewall a lot. There are many others -- go to the support forums of your favorite distro, and you will find plenty of options.

linkimprove this answer
answered May 6 at 17:16
Jesper Mortensen
96511
the iptable maybe is not running locally in his server. maybe its a gateway, or even a router running Zebra or Quagga. – VP01 May 6 at 21:42
@VP01: Yes, you're quite right. It's hard to say precisely, since the original question is light on specific information, but in the majority of cases were iptables is run on a single gateway/linux router, it will be of little use against well-executed DDoS attacks. The packet rates overwhelm all on-the-server solutions. This answer describes what good DDoS protection looks like (it need to be done 'upstream' of the servers): security.stackexchange.com/questions/114/… – Jesper Mortensen May 7 at 7:09
yes, upstream is the right place to do. But from his question we cannot assume that he is an end-user. Maybe he is a netadmin, under attack from a small ISP without no clue :-)

http://security.stackexchange.com/questions/3606/what-is-a-good-public-available-iptables-script-for-ddos-mitigation