Limit the number of incoming tcp connection

[Nytro]

Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks

by LinuxTitli on June 26, 2005

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. This is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.

if Half-open connections bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Syn flood is common attack and it can be block with following iptables rules:

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN

All incoming connection are allowed till limit is reached:

--limit 1/s: Maximum average matching rate in seconds

--limit-burst 3: Maximum initial number of packets to match

Open our iptables script, add the rules as follows:

# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT

iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP

iptables -A OUTPUT -p icmp -j ACCEPT

First rule will accept ping connections to 1 per second, with an initial burst of 1. If this level crossed it will log the packet with PING-DROP in /var/log/message file. Third rule will drop packet if it tries to cross this limit. Fourth and final rule will allow you to use the continue established ping request of existing connection.

Where,

??limit rate: Maximum average matching rate: specified as a number, with an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default is 3/hour.

??limit?burst number: Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.

You need to adjust the –limit-rate and –limit-burst according to your network traffic and requirements.

Let us assume that you need to limit incoming connection to ssh server (port 22) no more than 10 connections in a 10 minute:

iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

Sursa: Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks

[aelius]

Din pacate, connlimit cat si syn limit sunt incercari sinistre de a face iptables sa fie un firewall stateful. Mai mult decat atat, incercarea de a face STATEFUL FILTERING peste pachete SYN, contrazice mult concepul de tcp/ip.

Chestia "A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. This is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK." nu prea se aplica in zilele noastre si are si logica:

- Exemplu: Limitezi syn la 1/s cu limit burst la 3, si in cazul asta este "self denial of service", pentru ca orice limbric cu un script perl din 5 linii poate genera zeci de mii de requesturi pe secunda catre tine; Practic iptables-ul nu va mai accepta conexiuni, si implicit clientii legiti.

[aelius]

Uitasem, ultimul exemplu face toti banii:

"iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP"

- Deci daca fac cate 50 de requesturi tcp pe minut cate serviciul SSH, adminul nu se va mai putea conecta sa-si administreze serverul; Nu sunt per SURSA unica aceste reguli.

- "-s 0/0" nu-si are rolul, era folosita pe vremea ipchains. Default, daca nu se specifica sursa, inseamna "orice sursa" (ex: 0.0.0.0/8)