11

I want to DROP more than 200 requests per ip to prevent ddos attack. this is command that i used to detect requests count per ip :

netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -nr

now i want add all ip addresses that made more than 200 requests into IPtables to DROP input and out put.

Improve this question
1
  • As @dawud mentioned make sure you are aware that you can only "mitigate" and not really totally prevent DDOS attack to your server. Commented Mar 21, 2014 at 0:13

2 Answers 2

Reset to default
12

You can also use iptables to limit the rate of incoming connections. For example if you don't want more than 200 connections per minute from a source:

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 200 -j DROP

Improve this answer
1
  • 1
    It would be great to have an explanation of this as well. Commented Aug 24, 2014 at 20:09
18

You can create an ipset. This way you can add as many IPs to the set as you need without modifying the iptables ruleset.

ipset -N myset iphash ipset -A myset 1.1.1.1 ipset -A myset 2.2.2.2

Or, in your case, use the output of your script, and read it with something like:

while read a; do ipset -A myset "$a"; done < <(your script here)

And the reference it in your iptables rules:

iptables -A INPUT -m set --set myset src -j DROP

Read the manpage for more details and options.

There are also other ways to mitigate a DDOS attack using iptables directly. Read the iptables manpage section about the connlimit and recent modules.

Improve this answer
1
  • This is brilliant because ipsets are much faster than alternatives such as hashtables. Commented Mar 23, 2014 at 2:19

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.