5

I want to DROP more than 200 requests per ip to prevent ddos attack. this is command that i used to detect requests count per ip :

netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -nr

now i want add all ip addresses that made more than 200 requests into IPtables to DROP input and out put.

Morteza Soltanabadiyan
  • 437
  • You realize that the point of a ddos is that the requests come from so many different addresses that you can't block them, rather than loads from a few addresses, and that any but the most simple attacks will still send the incoming traffic to saturate your downlink, whether you reply or not? – psusi Mar 21 '14 at 02:12
  • I think your command lists open parallel connections to port 80 per IP address. That's not the same as request count per IP (over some time), but admittedly still a useful metric once your server has started to slow down and requests keep queuing up. – tanius Feb 23 '17 at 18:06

1 Answers1

10

Well you can not prevent ddos, and 200 requests is rather trivial.

Best you can do , IMO, is to set limits

sudo iptables -A INPUT -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -j REJECT

For port 80, use

sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
sudo iptables -A INPUT -j REJECT

You should be able to adjust those limits to your server.

See: http://blog.bodhizazen.com/linux/prevent-dos-with-iptables/

Panther
  • 102,067
  • Are we supposed to use both set of commands? Sorry if it's a basic question, I'm completely new and have no idea what I'm doing. – ThisIsNotAnId Feb 17 '19 at 05:15