Rh9 server, how to prevent a simple dos attack An estimated 30% of the enemy, when I have a link port to connect into overtime after waiting there, not to make any moves that many normal link unable to visit. Ask how do I make changes Rh9 server, how to prevent a simple dos attack A temporary closure IP? This port useful? Closed useless Restrictions on the number of connecting link between the number of overtime hours Link System did not see any loopholes Rh9 server, how to prevent a simple dos attack Echo 1 "; /proc/sys/net/ipv4/tcp_syncookies Http://www.www.lslnet.com/linux/jh/4/335692.html Http://www.lslnet.com/linux/#forum/viewtopic.php?t=23116 Rh9 server, how to prevent a simple dos attack The port is certainly useful, not closed. Ip blockade is not reality, the enemy will continue to transform their ip, it is estimated that many users are adsl As for the upstairs practice, I do not know, there is no, the enemy is through normal conect to the server, but rather connect this special space, is not like the semi-open attack Brothers can return there when you trouble a little more detailed, thank you. Rh9 server, how to prevent a simple dos attack The problem seems to be discussed, not conclusions. Rh9 server, how to prevent a simple dos attack DDOS attacks prevent the purchase of hardware products Rh9 server, how to prevent a simple dos attack I know they can iptable ip to the same restrictions on the number of connections the same time, but it needs to be compiled kernel, but I do not want too much trouble. Rh9 server, how to prevent a simple dos attack Not re-editing kernel directly on the trip Rh9 server, how to prevent a simple dos attack Www.lartc.org see, the 15.2,15.3 section. I became come, hope it helps. 15.2. Protecting your host from SYN floods From Alexey 's iproute documentation, adapted to netfilter and with more plausible paths. If you use this. take care to adjust the numbers to reasonable values for your system. If you want to protect an entire network, skip this script, which is best suited for a single host. It appears that you need the very latest version of the iproute2 tools to get this to work with 2.4.0. Gabriel /bin/sh x # # Sample script on using the ingress capabilities # This script shows how one can rate limit incoming SYNs # Useful for TCP-SYN attack protection. You can use # IPchains to have more powerful additions to the SYN (eg # In addition the subnet) # #path To various utilities; #change To reflect yours. # TC=/sbin/tc IP=/sbin/ip IPTABLES=/sbin/iptables INDEV=eth2 # # Tag all incoming SYN packets through $INDEV as mark value 1 ############################################################ $iptables A PREROUTING-t mangle-p tcp --syn \ -i $INDEV -j MARK --set-mark 1 ############################################################ # # Install the ingress qdisc on the ingress interface ############################################################ $TC Qdisc add dev $INDEV handle ingress ffff : ############################################################ # # # SYN packets are 40 bytes (32 bits) so three SYNs equals # 960 bits (approximately 1kbit); So we rate limit below # The incoming SYNs to 3/sec (not very useful but really; #serves To show the point-JHS ############################################################ $TC Filter add dev $INDEV parent ffff : protocol ip prio 50 handle transgenic \ 1 Police rate 1kbit burst 40 mtu 9k drop flowid : 1 ############################################################ # Echo "- qdisc parameters Ingress ----------" $TC Qdisc 1s dev $INDEV Echo "- Class parameters Ingress ----------" $TC Class 1s dev $INDEV Echo "- filter parameters Ingress ----------" $TC Filter 1s dev $INDEV parent ffff : #deleting The ingress qdisc #$TC Ingress qdisc del $INDEV 15.3. Rate limit ICMP to prevent dDoS Recently, distributed denial of service attacks have become a major nuisance on the Internet. By properly filtering and rate limiting your network. you can both prevent becoming a casualty or the cause of these attacks. You should filter your networks so that you do not allow non-local IP source addressed packets to leave your network. This stops people from anonymously sending junk to the Internet. Rate limiting goes much as shown earlier. To refresh your memory, our ASCIIgram again : [The Internet] ---<E3, T3, whatever>;--- [Linux router] --- [Office+ISP] Eth1 eth0 We first set up the prerequisite parts : # Tc qdisc add dev eth0 root handle 10 : cbq bandwidth 10Mbit avpkt 1000 # Tc class add dev eth0 parent 10:0 10:1 cbq bandwidth 10Mbit rate \ classid 10Mbit allot 1514 prio 5 maxburst 20 avpkt 1000 If you have 100Mbit, or more, interfaces, adjust these numbers. Now you need to determine how much you want to allow ICMP traffic. You can perform measurements with tcpdump. by having it write to a file for a while, and seeing how much ICMP passes your network. Do not forget to raise the snapshot length! If measurement is impractical, you might want to choose 5% of your available bandwidth. Let 's set up our class : # Tc class add dev eth0 parent 10:1 cbq bandwidth 10Mbit rate \ classid 10 ∶ 100 100Kbit allot 1514 weight 800Kbit prio 5 maxburst 20 avpkt 250 \ Bounded This limits at 100Kbit. Now we need a filter to assign ICMP traffic to this class : # Tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip 1 0xFF flowid 10 ∶ 100 protocol Rh9 server, how to prevent a simple dos attack Compiler that is not in trouble. Connlimit used. Can be resolved. Rh9 server, how to prevent a simple dos attack SYN flood ##limit #iptables A INPUT-f-m limit --limit 100/s --limit-burst 100 -j ACCEPT## restrictions on the internal data packet transmission speed #iptables A FORWARD-f-m limit --limit 100/s --limit-burst -j ACCEPT## 100 packets transmitted online to establish the speed limit Access control using iptables done! ! ! Rh9 server, how to prevent a simple dos attack Njdaboy_cn brother said the first kernel to support down! Rh9 server, how to prevent a simple dos attack General support when it was installed in the Linux iptables and Netfilter, do not need translation core, the use of direct methods will be able to njdaboy_cn brother said the fact that so many of the firewall is for the defense of DOS, thermoset cookie looks good. In fact the results do not shout. [ Closed window ]