Limiting all syns will kill low-latency connections on any application that needs multiple connections at a time (like say, web surfing).Originally posted here by instronics
Syn-Flood-Protections: iptables -A FORWARD -p tcp --syn -m limit 1/s -j ACCEPT
Which won't do jack against a "ping of death" since it's a raw packet flood style DoS. It doesn't care if it gets a response, it will still clog your incoming pipe.and protection against 'ping-of-death':
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit 1/s -j ACCEPT
Firewalls are useless against packet floods. Packet floods are one type of Denial of Service attack. Firewalls *CAN* mitigate the effects of SYN floods and similar attacks that rely on protocol or resource issues.Yes, offcourse there are many other types. I just gave 2 examples here, but there are also defense mechanisms for many various other types of DoS, which cannot all be controlled by the end target. I just wanted to point out that a firewall is NOT useless against DoS. It is still a very important tool in security.
The biggest thing that can be done to stifle DDoS attacks is if all ISPs were required to implement egress filtering. In that case, it could be narrowed down to the ISP block and filtered off. Unfortunately nobody thought of this ten years ago when the Internet (in its current form anyway) began its rise to popularity, so it was never done, and getting everyone on board to do so now would be a rather monumental task.
Reply With Quote