Am 27.10.2011 10:25, schrieb Ed W:
On 26/10/2011 10:01, Robert Schetterer wrote:
the most problem is see , not everybody can use fail2ban on his servers by keeping out dummy auth users over nat ( I have such case )
anyway ,firewalls should slow down ddos attacks, which might cause other problems then *g, but for sure not from one ip ...
just a few thoughts..,for sure ,best way would be, getting it fixed
If you google (I think it was on slashdot), I saw a couple of posts with a simple iptables rule with some rate limits attached to it. Clearly you could also read the iptables instructions and figure it out for yourself, but just highlighting that even the footwork has been done if you want copy/paste
i just read it, but its my understanding, that this isnt solving the real Problem, also these rules cant used everywhere by tec layout reasons however youre right, this might help where using it is possible
I think it's generally not such a bad idea to say limit tcp connections per second from a source IPs. There are plenty of big services that might not be able to implement this as a blanket, but for many shops it could probably be just added as a default for the server...
we have a big firewall before all server, it does rate con, but in heavy attacks, this can take off the whole farm, cause every firewall has its limits too, also the problem may involve core routers etc every big attack has to be analysed and reacted, there is reason to do something better ever, but there never be a safe world in www *g
Cheers
Ed W
-- Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria