-1

Is there any way to protect against dos by analysing how much connection in a port have been done by an ip and not limit the traffic overall?

For instance, let's say I don't want an ip to do more than 10 http requests per 10seconds, how I can do that? Knowing that there will be no ban if there's 100 requests in 10 seconds and if each requests have a different IP (protection only for DOS and not DDOS).

rsabir
  • 191
  • 1
  • 2
  • 10

2 Answers2

0

check out https://www.fail2ban.org/wiki/index.php/Main_Page. It is a software rate limiter that uses ip tables

Monish Sen
  • 101
  • 2
0

You would be able to do such with this. 

iptables -A INPUT -p tcp -m state --state NEW --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with tcp-reset

iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 10/second --limit-burst 12 -j ACCEPT

Anyway enable syncookies too. Add this line to /etc/sysctl.conf

net.ipv4.tcp_syncookies = 1

Then run sysctl -p or reboot to apply.

Marco
  • 1,709
  • 3
  • 17
  • 31
  • I tried the first rule but I still can make 1000 requests with a concurrency of 100 in 3 second and with ab command line. – rsabir Mar 26 '17 at 14:33
  • I edited my answer following your comment, you where right. Try this and let us know. – Marco Mar 29 '17 at 08:11
  • it didn't work for my container but then I said to myself it may be related to the fact that my port is exposed by docker. So I installed apache2 (or httpd) and it did work. So Maybe I need to apply it for `FORWARD` and not `INPUT` – rsabir Apr 02 '17 at 16:09
  • Just place a log rule and take a look at where packets for this connection are going through netfilter. – Marco Apr 02 '17 at 16:12
  • can you give me the commands to launch for logging? – rsabir Apr 02 '17 at 16:27