Re: [squid-users] iptables to limit connections from Henrik Nordstrom on 2003-06-16 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 16 Jun 2003 13:07:11 +0200

On Monday 16 June 2003 10.45, Ralf Hildebrandt wrote:
> * Henrik Nordstrom <hno@squid-cache.org>:
> > > So I thought iptables --limit could do the trick.
> > > Before I reinvent the whell, I'd like to ask if someone already
> > > has such a "connection rate limiter per IP" in place (and how
> > > it looks).
> >
> > iptables -m limit should handle such case nicely, but you will
> > need one rule per client IP address... Something like the
> > following should work I think:
> >
> > -N SYN
> > -A SYN -s ip.of.first.client -m limit --limit ... -j ACCEPT
> > -A SYN -s ip.of.second.client -m limit --limit ... -j ACCEPT
> > ....
> > -A SYN -m limit ... -j LOG --log-prefix "SYNRATE "
> > -A SYN -j DROP
> > -A INPUT -p tcp --syn -J SYN
>
> Yes, but this requires identifying the evil client.

Yes, which usually is not a problem if you are running a proxy as you
then have a limited source network, but is a problem if you are
running an accelerator.

If you are running an accelerator then you probably want to build an
approximation table of the Internet IP addresses by using a two level
filter structure. First a filter on 'class C' level (third octet of
the IP address) detecting networks with abnormally high traffic, and
then a more detailed filter on 'host level' (fourth octet of the IP
address) approximating which IP addresses within those networks is
flooding you. Such design keeps the table size small (2 * 256) while
still giving a good filter ratio with not too many false negatives.
Note: The filter divisions does not need to be octet(256) based. You
can apply any masks you like to the IP addresses.

Regarding SYN flood protection: The correct place to implement SYN
flood protections is in the kernel by enabling SYN cookies etc. The
problem you described is technically a variant of connection flooding
which is a somewhat broader issue. To address connection flooding you
need to combine application level filters (i.e. max_conn acl type)
and packet level filters. Packet level filters can trap abusers who
try to set up sessions more rapidly than the application can handle,
and application level filters trap abusers who tries to set up more
sessions than the application can handle.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com

Received on Mon Jun 16 2003 - 05:05:55 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:23 MST