On 2012/05/04 15:42, Reindl Harald wrote:
Am 05.05.2012 00:31, schrieb jdow:
>> with 75 instead of 100 evebn a "ab -c 4 -n 1000" is completly
>> broken from outside the own network because "apache benchmark"
>> thinks the host is dead after 83 connections and stops due too
>> many errors - well, i guess exactly that is the problem for
>> Nessus/OpenVAS and such software from outside now
>>
>> they triggered it all time before with portscans but only
>> not notice
>
> What happens with something like this (PDL sorta kinda)?
>
> while( 1 )
> {
> "ab -c 4 -n 50"
> Sleep( 2 )
> }
>
> I don't know nessus. I am guessing that "-n 1000" part means 1000
trials
> and it's running as fast as it can go. The idea is to test up to your
> DDOS limit, wait 2 seconds, repeat. Can the test be hacked to keep your
> system at its limit but not over its limit?
no idea, evenif it would not help becasue a company
only doing certified secsancs will never change them
especially if your customer is their customer....
but i found a solution!
with "--remove" you can remove the given IP from the iptables-list
before the REJECT action is triggered and this way add as much
networks / addresses you need
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp -i eth0 -s $SECURITY_SCAN -m state --state NEW -m recent
--remove
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update
--seconds 1 --hitcount 75
-j REJECT --reject-with tcp-reset
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update
--seconds 1 --hitcount 75
-m limit --limit 60/h -j LOG --log-prefix "Rate-Control: "
As long as that does not break other iptables based protections it's a
good enough solution. I presume you did audit the iptables setup for that
possibility.
Good luck with it.
(As an aside the scan company should learn to adapt as more and more
customers learn this trick and deploy it.)
{^_^}