On Fri, Oct 29, 2010 at 09:12, Ciaran Johnston <cj at nologic.org> wrote:
> Hi folks,
> has anyone any iptables magic which will protect a server from a SYN flood
> on port 80 (apparrently random source IPs) while allowing real traffic
I posted a similar query a year ago and got a helpful reply on the
SAGE list pointing
me at a script that dynamically adds rules to iptables - see below. I made a few
tweaks at the time, but it was a quick fix for the issues I saw, YMMV.
>From Andrew McGill <list2009 at lunch.za.net>
On Tuesday 29 September 2009 14:30:56 Kieran Tully wrote:
> I occasionally help admin a popular Irish web forum who are
> increasingly coming under DDOS attack. I don't have much time to look at
> this but it appears to be a SYN flood to the http port. It's a
> dedicated web-server running apache 2 and Linux kernel 2.6.
>> 1) Are there some quick configuration changes on the webserver that
> will reduce the impact of the attack?
At http://deflate.medialayer.com/ there is a script called DDoS-Deflate
It adds iptables rules to blackhole machines that make more connections than
the threshold. It's a little bit rough around the edges, but if it manages to
understand the output of netstat on your system, it does work quite well. It
costs relatively little to block a host.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!