I have a thought about this. I can use ipset and iptables on a bridge firewall.ipt_recent module compares the SYN package and ACK package's TTL. If not match then drop. ipt_hashlimit module stores the concurrent connections. When the connections exceed the threshold iptables would store the IP in ipset. ipset's iptree modules can store the IP in a fixed time. When a IP which is in the iptree's list comes the firewall iptables would TARPIT its tcp connection. Is this setting effective? Ric Messier wrote: Bgs writes:We recently got under a low traffic botnet DDoS attack. All attacker nodes opened a single tcp session (just SYN part) and then did nothing. This rules out rate limiting solutions and syncookie doesn't help either. (Thousands of attacking nodes).This is simply a SYN flood attack. It may or may not be a botnet (though saying botnet makes it sound sexier :-) ). A decent SYN flood attack toolwould randomize the source address anyway.You should try reading the following as a starting point: http://www.securityfocus.com/infocus/1729 Your second suggestion has been implemented in the TCP/IP stack forever. The article above gives guidance on how to tune it in a Linux implementation. Ric |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: Enabling internal connections to transparently connect via external IP address, Robby Workman |
|---|---|
| Previous by Thread: | RE: syn DDoS attack solution, Ric Messier |
| Next by Thread: | Enabling internal connections to transparently connect via external IP address, Chris Willis |
| Indexes: | [Date] [Thread] [Top] [All Lists] |