0

I was thinking of adding the following rule to my IP tables:

-A INPUT -p tcp -m state --state NEW -m recent --update --dport 80 --seconds 5 --hitcount 10 -j DROP
-A INPUT -p tcp -m state --state NEW -m recent --set --dport 80 -j ACCEPT

to avoid accidental Ajax-based abuse (too many requests) of my web API.

Is this sort of stateful filtering considered resource-intensive or otherwise wasteful due to the commonness of port 80 requests (vs something like rate-limiting port 22 which would result in a lot less state)? I realize that doing this in a dedicated firewall would be ideal, but I'm trying to see what I can accomplish in my server.

orokusaki
  • 2,763
  • 4
  • 32
  • 43

1 Answers1

1

I don't know about the performance of using the state module vs filtering on SYN packets (which would effectively do the same trick).

Perhaps you can test this... try adding your rule - and then use Apache Bench or similar to generate as many requests as you can while monitoring CPU and memory use of your server. Then try adding the following rule:

-N tcpsyn
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j tcpsyn

-A tcpsyn -p tcp --dport 80 -m limit --limit 5/second --limit-burst 20 -j RETURN
-A tcpsyn -p tcp --dport 80 -j DROP

... and benchmarking that.

PP.
  • 3,316
  • 6
  • 27
  • 31
  • I'd be interested in the results. Because the `state` module may be just as efficient as the `tcp` module at identifying the SYN packets. – PP. May 24 '13 at 08:48