Iptables anti-CC attack

We can use iptables to some extent to realize the ability of the black hole to resist CC (connection depletion) attacks, which are configured in detail as follows:

1. System Requirements:

1) LINUX kernel version: 2.6.9-42 elsmp or 2.6.9-55 ELSMP

(Other kernel versions need to recompile the kernel, which is cumbersome, but can be implemented)

2) iptables version: 1.3.7

2. Installing Iptables 1.3.7 (http://www.netfilter.org/projects/iptables/files/iptables-1.3.7.tar.bz2)

and kernel modules corresponding to the kernel version of the system Kernel-smp-modules-connlimit ()

3. Configure the appropriate iptables rules, as shown in the following example:

1) control the maximum number of concurrent connections for a single IP

Iptables-i input-p TCP--dport 80-m connlimit--connlimit-above 50-j REJECT

# The maximum number of connections allowed for a single IP is 30

2) control the number of newly established connections in a single IP at a certain time (for example, 60 seconds)

Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--update--seconds the--hitcount 30-j REJECT

Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--set-j ACCEPT

# single IP allows up to 30 new connections within 60 seconds

4. Verification: 1) Tool: flood_connect.c (used to simulate attack)

2) View the results:

Using Watch ' Netstat-an | grep:21 | \

grep < impersonate an attack client's ip> | Wc-l '

Real-time view of the number of connections built up by simulated attack clients,

Using watch ' Iptables-l-n-v | grep < impersonate attack client's ip> ' view simulated attack

The number of packets that the client was DROP

5. Good luck!

Note: To enhance iptables's ability to prevent CC attacks, it's best to adjust the ipt_recent

The parameters:

# cat/etc/modprobe.conf

Options Ipt_recent ip_list_tot=1000 ip_pkt_list_tot=60

# record 1000 IP addresses and record 60 packets per address

# modprobe Ipt_recent

Cat/etc/sysconfig/iptables

# Firewall configuration written by Redhat-config-securitylevel

# Manual Customization of this file are not recommended.

*filter

: INPUT ACCEPT [0:0]

: FORWARD ACCEPT [0:0]

: OUTPUT ACCEPT [0:0]

: Rh-firewall-1-input-[0:0]

-A input-j Rh-firewall-1-input

-A forward-j Rh-firewall-1-input

-A rh-firewall-1-input-i lo-j ACCEPT

-A rh-firewall-1-input-p ICMP--icmp-type any-j ACCEPT

-A rh-firewall-1-input-p 50-j ACCEPT

-A rh-firewall-1-input-p 51-j ACCEPT

-A rh-firewall-1-input-m state--state established,related-j ACCEPT

-A rh-firewall-1-input-m state--state new-m tcp-p TCP--dport 22-j ACCEPT

# following ports is enabled by

-A rh-firewall-1-input-m state--state new-p tcp-m TCP--dport--syn-j ACCEPT

-A rh-firewall-1-input-m state--state new-p tcp-m TCP--dport--syn-j ACCEPT

-A rh-firewall-1-input-m state--state new-p tcp-m TCP--dport 9000:9049--syn-j ACCEPT

-A rh-firewall-1-input-m state--state new-p tcp-m TCP--dport 2001--syn-j ACCEPT

-A rh-firewall-1-input-m state--state new-p tcp-m TCP--dport 3124--syn-j ACCEPT

# End of Ports enabled by

-A rh-firewall-1-input-j REJECT--reject-with icmp-host-prohibited

2009-07-02

This article is from the "Five Corners" blog, please be sure to keep this source http://hi289.blog.51cto.com/4513812/1757704

Iptables anti-CC attack