iptables anti-DDOS attack and CC attack settings
Defense against DDOS attack scripts
#Prevent SYN attacks Lightweight prevention
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -I syn-flood -p tcp -m limit --limit 3/s --limit -burst 6 -j RETURN
iptables -A syn-flood -j REJECT
#To prevent too many connections from DOS, you can allow up to 15 initial connections per IP of the external network card, and discard the excess
iptables -A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT #Use
Iptables to defend against DDOS (parameters are the same as above)
iptables -A INPUT -p tcp --syn -m limit --limit 12/s - -limit-burst 24 -j ACCEPT
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
##########################################################
Prevent CC attack
When the apache site is severely attacked by CC, we can use iptables to prevent the web server from being attacked by CC and realize the function of automatically shielding IP.
1. System Requirements
(1) LINUX kernel version: 2.6.9-42ELsmp or 2.6.9-55ELsmp (other kernel versions need to recompile the kernel, which is more troublesome, but can be achieved).
(2) iptables version: 1.3.7
2. Installation
Install iptables1.3.7 and the kernel module kernel-smp-modules-connlimit corresponding to the system kernel version
3. Configure the corresponding iptables rules
An example is as follows:
(1) Control the maximum number of concurrent connections for a single IP
iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j REJECT #The maximum number of connections allowed for a single IP is 30
#The default iptables module does not contain connlimit, you need to compile and load it yourself, please refer to this The address
http://sookk8.blog.51cto.com/455855/280372 does not compile the kernel to load the connlimit module
(2) Control the number of newly established connections allowed by a single IP within a certain period of time (such as 60 seconds)
iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECT iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT #A
single IP only allows up to 30 new connections within 60 seconds
4. Verification
(1) Tool: flood_connect.c (used to simulate attacks)
(2) View the effect:
Use
watch 'netstat -an | grep:21 | grep <IP of the simulated attacking client>| wc -l'
实时查看模拟攻击客户机建立起来的连接数,
使用
watch 'iptables -L -n -v | \grep<模拟攻击客户机的IP>'
查看模拟攻击客户机被 DROP 的数据包数。
5.注意
为了增强iptables防止CC攻击的能力,最好调整一下ipt_recent的参数如下:
#cat/etc/modprobe.conf options ipt_recent ip_list_tot=1000 ip_pkt_list_tot=60
#记录1000个IP地址,每个地址记录60个数据包 #modprobe ipt_recent
本文出自 “linux进阶屋” 博客,谢绝转载!
from:http://sookk8.blog.51cto.com/455855/321242/
+
+
+
=
=
=