[CentOS-mirror] Chinese IPs - Mirror Stats
Juergen Gotteswinter
jg at internetx.de
Fri Jan 22 14:37:09 UTC 2010
Hello,
how about to give iptables with hashlimit a try, i already used it with
sucess to prevent from botnet ddos attacks against webservers. something
like
iptables -t filter -A INETIN -p tcp --syn -s 0/0 --dport 80 -m hashlimit
--hashlimit 25/s --hashlimit-burst 20 --hashlimit-mode srcip
--hashlimit-name HTTP -j ACCEPT
iptables -t filter -A INETIN -p tcp --syn -s 0/0 --dport 80 -m limit
--limit 1/s --limit-burst 5 -j LOG --log-level $LOG_LEVEL --log-prefix
"[HTTP_DROPPED_NEW] : "
iptables -t filter -A INETIN -p tcp --syn -s 0/0 --dport 80 -j DROP
iptables -t filter -A INETIN -p tcp -s 0/0 --dport 80 -m state --state
NEW -j ACCEPT
should fix it... of course set the hashlimit to parameters which your
mirror can take.
Greetings
Juergen
Emil wrote:
>
> --On fredag, januari 22, 2010 18.55.11 +0530 "Prof. P. Sriram"
> <sriram at ae.iitm.ac.in> wrote:
>
>> On Fri, 22 Jan 2010, Emil wrote:
>>> I'm curious though as why you block them completely, instead of just
>>> have them put under some concurensy-limit.
>> The addresses are already under the concurrency limit as described in
>> the original post. The netfilter kicks in when there is certain
>> volume (requests per minute) EXCEEDING the concurrency limit. A
>> human being exceeding the concurrency limit gets a HTTP 503 service
>> unavailable message and will hopefully try again only after some
>> time, when the concurrency limit is not being exceeded. Well, that
>> is plan, anyway.
>
> Still, the concurrency limit is within apache, right? What I meant
> was to put an (aditional) limit in netfilter instead of a "complete"
> block.
>
> Should you only block new connections when the "ban" kicks in it
> wonät be too bad, and teh effect for the "visitor" should be very
> similar to a more gentle limit based approach. If however you put
> a block based only on the ip address existing connections will fail
> to complete, which obviously will cause them to have a valid reason
> to start again as soon a the ban is lifted.
>
> Anyway, thanks for the tip on fail2ban, I may put that to use in
> other places!
>
> Regards,
> Emil
>
> _______________________________________________
> CentOS-mirror mailing list
> CentOS-mirror at centos.org
> http://lists.centos.org/mailman/listinfo/centos-mirror
>
More information about the CentOS-mirror
mailing list