Defense against DDOS attacks # lightweight prevention of SYN Attacks iptables-N syn-flood iptables-a input-p tcp -- syn-j syn-flood iptables-I syn-flood-p tcp- m limit -- limit 3/s -- limit-burst 6-j RETURN iptables-A syn-flood-j REJECT # prevent too many DOS connections, each IP address of an Internet Nic can have up to 15 Initial connections, discarded iptables-a input-I eth0-p tcp -- syn-m connlimit -- connlimit-abve 15-j DROP iptables-A INPUT-p tcp-m state -- state ESTABLISHED, RELATED-j ACCEPT # Use Iptable S anti-DDOS (same parameters as above) iptables-a input-p tcp -- syn-m limit -- limit 12/s -- limit-burst 24-j ACCEPTiptables-a forward-p tcp -- syn-m limit -- limit 1/ s-j ACCEPT #################################### ##################### prevent CC attacks when the apache site is under severe cc attacks, we can use iptables to prevent CC attacks on web servers and automatically block IP addresses. 1. System Requirements (1) LINUX kernel version: 2.6.9-42ELsmp or 2.6.9-55 ELsmp (Other kernel versions need to re-compile the kernel, Which is troublesome but can also be implemented ). (2) iptables version: 1.3.72. install the kernel module kernel-smp-modules-connlimit3 corresponding to iptables1.3.7 and system kernel version. an example of configuring an iptables rule is as follows: (1) control the maximum number of concurrent connections of a single IP address iptables-I INPUT-p tcp -- dport 80-m connlimit -- connlimit-abve 50-j REJECT # Allow the maximum number of connections of a single IP address to 30 # default iptables the module does not contain connlimit, you need to compile and load it by yourself. Please refer to this address http://sookk8.blog.51cto.com/455855/280372 Load the connlimit module without compiling the kernel (2) control a single IP address at a certain time (for example, 60 seconds) allowed new connections in iptables-a input-p tcp -- dport 80-m recent -- name BAD_HTTP_ACCESS -- update -- seconds 60 -- hitcount 30-j REJECT iptables-a input-p tcp -- dport 80-m recent -- name BAD_HTTP_ACCESS -- set-j ACCEPT # A Single IP Address can only create up to 30 connections within 60 seconds. verification (1) tool: flood_connect.c (used to simulate attacks) (2) view results: watch 'netstat-an | grep: 21 | grep <IP address of the simulated attack client> | wc-l' view the number of connections established by the simulated attack client in real time, and use watch 'Iptables-L-n-v | \ grep <IP address of the simulated attack client> 'shows the number of dropped packets of the simulated attack client. 5. note: To enhance iptables's ability to prevent CC attacks, you 'd better adjust the ipt_recent parameter as follows: # cat/etc/modprobe. conf options ipt_recent ip_list_tot = 1000 ip_pkt_list_tot = 60 # record 1000 IP addresses, each address records 60 packets # modprobe ipt_recent