Tony Godshall said: >> I just recently started using iptables to do this. It's worked really >> well for me so far. See the debian-isp archive link below. >> >> http://lists.debian.org/debian-isp/2005/10/msg00051.html > > I don't see any mechanism to limit the number of entries in > your blocked list... this would seem to increase your > vulnerability to a multi-source DOS attack. I may be missing your point but.. Below is taken from the --recent module documentation. --rttl This option must be used in conjunction with one of 'rcheck' or update'. When used, this will narrow the match to only happen when the address is in the list and the TTL of the current packet matches that of the packet which hit the --set rule. This may be useful if you have problems with people faking their source address in order to DoS you via this module by disallowing others access to your site by sending bogus packets to you. also, the recent module takes arguments. So the list size is finite. The module itself accepts two parameters: ip_list_tot=40 ip_pkt_list_tot=10 Shown are the defaults. ip_list_tot is the total number of addresses which will be remembered, note that the list is searched in-order for every attempted match and so you do not want to increase this value too much or alot of time will be spent traversing the list. ip_pkt_list_tot is the total number of packets which will be remembered for each address. This list is only used by '--hitcount' and so the default will probably suffice unless you make extensive use of that option. -- phil
Attachment:
signature.asc
Description: OpenPGP digital signature