On Tue, 15 May 2001, Bjoern Engels wrote:
I think Markus was thinking of iptables -m limit --limit x/s --limit-burst y \ --syn ... .
That's a way to limit SYNs (or --state NEW?) but I think it limits SYNs in general and not only by one host, so it would block regular connections, too, if that limit is exceeded. Or is there any possibility to make a rule that says "limit the SYNs from one host but accept them from others" ?
Iptables gives us more flexibility in defining filter rules, and the ability to base those rules on recent traffic, making them dynamic rather than static. This, however, opens us to another possible DoS, since it takes memory to store the state information, so by spoofing many IP addresses, the attacker can eat up your memory. Memory is finite, and even before it is exhausted, performance is degraded simply by lengthening the list of filters which must be tested. -- Rick Green "Every problem we face, was once seen as the solution to an earlier problem"