Archive

Articles taggués ‘stop ddos attack iptables’

Stop DDoS attack with iptables

06/11/2015 Comments off

stop ddos attack iptablesIn fight against DDoS through the years, i’ve compiled a list of useful iptables commands which may come handy in time of trouble.

Here is how to stop DDoS attack with iptables

To block small SYN floods:
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN

To block small UDP floods:
iptables -N udp-flood
iptables -A OUTPUT -p udp -j udp-flood
iptables -A udp-flood -p udp -m limit --limit 50/s -j RETURN
iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
iptables -A udp-flood -j DROP

To limit rate of connections on a port:
iptables -A INPUT -p tcp --dport (port-here) -m state --state NEW -m recent --set --name DDOS --rsource
iptables -A INPUT -p tcp --dport (port-here) -m state --state NEW -m recent --update --seconds 5 --hitcount 5 --name DDOS --rsource -j DROP

Limit connections per ip on a port
iptables -A INPUT -p tcp --syn --dport (port-here) -m connlimit --connlimit-above (limit-here) --connlimit-mask 32 -j REJECT --reject-with tcp-reset

To block an ip using iptables
iptables -A INPUT -s (ip-here) -j DROP

If you use haproxy as load balancer use this to limit concurrent connections:
stick-table type ip size 200k expire 30s store conn_cur
tcp-request connection reject if { src_conn_cur ge 6 }
tcp-request connection track-sc1 src

Resources:
iptables man page
Haproxy website

Source: Stickpoll