0

I was searching for a solution a long time but cant find anything useful.

My webserver is secured by a firewall (iptables with ufw userinterface). Default is deny all and only some ports are open. The server is monitored by prtg.

My problem is, that someone is trying to access the blocked ports a few times per seconds. If this happens, the monitoring tool reports a ping timeout.

The simple DDOS deflate script is configured to block on more than 100 requests. This amount is not reached.

My question: is it possible to prevent this incident? Is a block by the firewall this performance hungry?

Bryan
  • 7,538
  • 15
  • 68
  • 92
grafzahl-io
  • 3
  • 3

3 Answers3

1

My best guess is that your ufw rules are logging all the blocks; I have seen in the past that this creates a LOT of disk activity and the system becomes too busy to handle anything else (such as other incoming packets).

Reduce your logging level, or add rate-limiting to your log rule(s).

fukawi2
  • 5,327
  • 3
  • 30
  • 51
1

There are a lot of different answers here, but in general a software firewall is not intended to stop DoS attacks. Yes, when a large volume of traffic is being sorted by a firewall it is resource demanding. If this is just one person trying to access these blocked ports, it is possible to contact your hosting provider and block the IP on the backbone so it doesn't reach your server.

Depending on the size of your site / application it may be time to start looking at a hardware firewall.

Here is another answer of mine on a similar topic:

How protect from DDOS attack?

Community
  • 1
QuentinMoss
  • 822
  • 7
  • 15
0

I have seen iptables with over 2,000+ rules and works perfectly fine, not saying having "2,000+" rules is a good thing, its definitely about time to switch to more robust firewall solution. but you get the point.

performance wise, answer is no

user1007727
  • 421
  • 5
  • 20