Am 05.05.2012 00:31, schrieb jdow:
> with 75 instead of 100 evebn a "ab -c 4 -n 1000" is
completly
> broken from outside the own network because "apache benchmark"
> thinks the host is dead after 83 connections and stops due too
> many errors - well, i guess exactly that is the problem for
> Nessus/OpenVAS and such software from outside now
>
> they triggered it all time before with portscans but only
> not notice
What happens with something like this (PDL sorta kinda)?
while( 1 )
{
"ab -c 4 -n 50"
Sleep( 2 )
}
I don't know nessus. I am guessing that "-n 1000" part means 1000 trials
and it's running as fast as it can go. The idea is to test up to your
DDOS limit, wait 2 seconds, repeat. Can the test be hacked to keep your
system at its limit but not over its limit?
no idea, evenif it would not help becasue a company
only doing certified secsancs will never change them
especially if your customer is their customer....
but i found a solution!
with "--remove" you can remove the given IP from the iptables-list
before the REJECT action is triggered and this way add as much
networks / addresses you need
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp -i eth0 -s $SECURITY_SCAN -m state --state NEW -m recent
--remove
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update
--seconds 1 --hitcount 75
-j REJECT --reject-with tcp-reset
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update
--seconds 1 --hitcount 75
-m limit --limit 60/h -j LOG --log-prefix "Rate-Control: "