iptables recent / more than one exception

jdow jdow at earthlink.net
Fri May 4 22:31:34 UTC 2012 

On 2012/05/04 02:57, Reindl Harald wrote:
>
>
> Am 04.05.2012 11:37, schrieb jdow:
>> But, then, I note your setting with --recent is not nearly as stringent as
>> mine. Any given address gets one connection per minute to ssh. That VASTLY
>> slows down dictionary attacks. Yours is a significant slow down; but, not
>> so much that somebody could not, as you put it, nibble around the edges to
>> get in. You have slowed down such attacks, though. That is good.
>>
>> It would be handy if there was an iptables rule that allowed skipping the
>> next rule in order if the special rule hit. Alas, I am unaware of such a
>> trick potential.
>
> my sshd has a sepearte rule
>
> the intention of this rule is not to block
> it is a rate-control against DOS attacks
>
> since we had "Anonymous" with a distributed DOS attack last
> week i can say it works damned good - after replacing a
> burned down router :-)
>
> clearly you can not stand the whole DDOS from some thousand
> source IPs but it gives you enough time to filter them for
> a DROP rule - without this ratecontrol you could not
> operate on the machine
>
> before the DDOS it was limited to 100 connections/ip/second
> which results in "ab -c 50 -n 50000 http://host-on-machine/"
> raise CPU load up to 100% for a short time, go down to 50%
> and changing between this both states (sorry baout bad english)
>
> with 75 instead of 100 evebn a "ab -c 4 -n 1000" is completly
> broken from outside the own network because "apache benchmark"
> thinks the host is dead after 83 connections and stops due too
> many errors - well, i guess exactly that is the problem for
> Nessus/OpenVAS and such software from outside now
>
> they triggered it all time before with portscans but only
> not notice

What happens with something like this (PDL sorta kinda)?

while( 1 )
{
	"ab -c 4 -n 50"
	Sleep( 2 )
}

I don't know nessus. I am guessing that "-n 1000" part means 1000 trials
and it's running as fast as it can go. The idea is to test up to your
DDOS limit, wait 2 seconds, repeat. Can the test be hacked to keep your
system at its limit but not over its limit?

{^_^}

More information about the users mailing list