[CentOS-mirror] Chinese IPs - Mirror Stats

Fri Jan 22 14:37:09 UTC 2010
Juergen Gotteswinter <jg at internetx.de>

Hello,

how about to give iptables with hashlimit a try, i already used it with 
sucess to prevent from botnet ddos attacks against webservers. something 
like

iptables -t filter -A INETIN -p tcp --syn -s 0/0 --dport 80 -m hashlimit 
--hashlimit 25/s --hashlimit-burst 20 --hashlimit-mode srcip 
--hashlimit-name HTTP -j ACCEPT

iptables -t filter -A INETIN -p tcp --syn -s 0/0 --dport 80 -m limit 
--limit 1/s --limit-burst 5 -j LOG --log-level $LOG_LEVEL --log-prefix 
"[HTTP_DROPPED_NEW] : "

iptables -t filter -A INETIN -p tcp --syn -s 0/0 --dport 80 -j DROP

iptables -t filter -A INETIN -p tcp -s 0/0 --dport 80 -m state --state 
NEW -j ACCEPT

should fix it... of course set the hashlimit to parameters which your 
mirror can take.

Greetings

Juergen



Emil wrote:
> 
> --On fredag, januari 22, 2010 18.55.11 +0530 "Prof. P. Sriram" 
> <sriram at ae.iitm.ac.in> wrote:
> 
>> On Fri, 22 Jan 2010, Emil wrote:
>>> I'm curious though as why you block them completely, instead of just
>>> have them put under some concurensy-limit.
>> The addresses are already under the concurrency limit as described in
>> the  original post. The netfilter kicks in when there is certain
>> volume  (requests per minute) EXCEEDING the concurrency limit. A
>> human being  exceeding the concurrency limit gets a HTTP 503 service
>> unavailable  message and will hopefully try again only after some
>> time, when the  concurrency limit is not being exceeded. Well, that
>> is plan, anyway.
> 
> Still, the concurrency limit is within apache, right?  What I meant
> was to put an (aditional) limit in netfilter instead of a "complete"
> block.
> 
> Should you only block new connections when the "ban" kicks in it
> wonät be too bad, and teh effect for the "visitor" should be very
> similar to a more gentle limit based approach.  If however you put
> a block based only on the ip address existing connections will fail
> to complete, which obviously will cause them to have a valid reason
> to start again as soon a the ban is lifted.
> 
> Anyway, thanks for the tip on fail2ban, I may put that to use in
> other places!
> 
> Regards,
>         Emil
> 
> _______________________________________________
> CentOS-mirror mailing list
> CentOS-mirror at centos.org
> http://lists.centos.org/mailman/listinfo/centos-mirror
>