Iptables anti-DDOS and CC attack settings

Source: Internet
Author: User

Defense against DDOS attacks # lightweight prevention of SYN Attacks iptables-N syn-flood iptables-a input-p tcp -- syn-j syn-flood iptables-I syn-flood-p tcp- m limit -- limit 3/s -- limit-burst 6-j RETURN iptables-A syn-flood-j REJECT # prevent too many DOS connections, each IP address of an Internet Nic can have up to 15 Initial connections, discarded iptables-a input-I eth0-p tcp -- syn-m connlimit -- connlimit-abve 15-j DROP iptables-A INPUT-p tcp-m state -- state ESTABLISHED, RELATED-j ACCEPT # Use Iptable S anti-DDOS (same parameters as above) iptables-a input-p tcp -- syn-m limit -- limit 12/s -- limit-burst 24-j ACCEPTiptables-a forward-p tcp -- syn-m limit -- limit 1/ s-j ACCEPT #################################### ##################### prevent CC attacks when the apache site is under severe cc attacks, we can use iptables to prevent CC attacks on web servers and automatically block IP addresses. 1. System Requirements (1) LINUX kernel version: 2.6.9-42ELsmp or 2.6.9-55 ELsmp (Other kernel versions need to re-compile the kernel, Which is troublesome but can also be implemented ). (2) iptables version: 1.3.72. install the kernel module kernel-smp-modules-connlimit3 corresponding to iptables1.3.7 and system kernel version. an example of configuring an iptables rule is as follows: (1) control the maximum number of concurrent connections of a single IP address iptables-I INPUT-p tcp -- dport 80-m connlimit -- connlimit-abve 50-j REJECT # Allow the maximum number of connections of a single IP address to 30 # default iptables the module does not contain connlimit, you need to compile and load it by yourself. Please refer to this address http://sookk8.blog.51cto.com/455855/280372 Load the connlimit module without compiling the kernel (2) control a single IP address at a certain time (for example, 60 seconds) allowed new connections in iptables-a input-p tcp -- dport 80-m recent -- name BAD_HTTP_ACCESS -- update -- seconds 60 -- hitcount 30-j REJECT iptables-a input-p tcp -- dport 80-m recent -- name BAD_HTTP_ACCESS -- set-j ACCEPT # A Single IP Address can only create up to 30 connections within 60 seconds. verification (1) tool: flood_connect.c (used to simulate attacks) (2) view results: watch 'netstat-an | grep: 21 | grep <IP address of the simulated attack client> | wc-l' view the number of connections established by the simulated attack client in real time, and use watch 'Iptables-L-n-v | \ grep <IP address of the simulated attack client> 'shows the number of dropped packets of the simulated attack client. 5. note: To enhance iptables's ability to prevent CC attacks, you 'd better adjust the ipt_recent parameter as follows: # cat/etc/modprobe. conf options ipt_recent ip_list_tot = 1000 ip_pkt_list_tot = 60 # record 1000 IP addresses, each address records 60 packets # modprobe ipt_recent

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.