what is a good public available iptables script for ddos mitigation?
4 Answers
Have a look at the questions on:
- how a software application can defend against a DDoS attack
- what techniques do advanced firewalls use
as the answers there will give some indication. Basically you can't do it in a device as the distributed nature of the attack means you need to have infrastructure which can cope, which is why DDoS protection services tend to be provided in conjunction with ISPs and depend more on active routing, path restrictions and upstream filtering.
- 61,367
- 12
- 115
- 320
Sorry, but you cannot effectively guard against modern DDoS attacks with a software firewall running directly on the server. The packet rates can get way too high and/or the packets come in on a valid port which your firewall permits through.
You can do basic rate limiting with iptables. But the first "d" in DDoS stands for "distributed". There are many hosts participating in the attack, and each host may contribute at a low rate, so rate-limiting may not help that much.
That said, if you want a management tool for iptables there are several options. Ubuntu ships with "ufw" -- uncomplicated firewall, and it lives up to its name. For slightly more complex solutions, I like Shorewall a lot. There are many others -- go to the support forums of your favorite distro, and you will find plenty of options.
-
the iptable maybe is not running locally in his server. maybe its a gateway, or even a router running Zebra or Quagga. – VP. May 06 '11 at 21:42
-
@VP01: Yes, you're quite right. It's hard to say precisely, since the original question is light on specific information, but in the majority of cases were iptables is run on a single gateway/linux router, it will be of little use against well-executed DDoS attacks. The packet rates overwhelm all on-the-server solutions. This answer describes what *good* DDoS protection looks like (it need to be done 'upstream' of the servers): http://security.stackexchange.com/questions/114/what-techniques-do-advanced-firewalls-use-to-protect-againt-dos-ddos/792#792 – May 07 '11 at 07:09
-
yes, upstream is the right place to do. But from his question we cannot assume that he is an end-user. Maybe he is a netadmin, under attack from a small ISP without no clue :-) – VP. May 07 '11 at 07:32
[Quot: Sorry, but you cannot effectively guard against modern DDoS attacks with a software firewall running directly on the server]
100% correct. Deflation and Load-Balancing are the only 100% full-proof DDoS mitigation measures. Of course you`ll need a multi-server setup or Cloud CDN for that. (For more info. check out this comparison review of Cloud security service providers)
Also I must say that limiting IP ranges is not only ineffective but also (potentially) damaging. As mentioned, DDoS uses botnet - a network of PCs that can sometimes be a very large pool of an inconsistent IPs.
In this more and more commonly occurring scenario, blocking an "attacking" IP range can actually prevent access from legitimate visitors, while not preventing DDoS attack itself.
- 563
- 3
- 8