From 9ba90f364fdead6c8585a5008f5510a228e96183 Mon Sep 17 00:00:00 2001 From: Vlad Glagolev Date: Wed, 14 Apr 2010 10:48:40 +0200 Subject: [PATCH] examples: added anti-DDoS example configuration --- examples/antiddos.ferm | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 examples/antiddos.ferm diff --git a/examples/antiddos.ferm b/examples/antiddos.ferm new file mode 100644 index 0000000..ab08e13 --- /dev/null +++ b/examples/antiddos.ferm @@ -0,0 +1,65 @@ +# -*- shell-script -*- +# +# Ferm example script +# +# Firewall configuration to prevent basic tcp DoS/DDoS attacks +# +# Authors: Vlad Glagolev , Stepan Rogov +# + +@def &ANTIDDOS($ports, $seconds, $hits, $time, $exceptions) = { + proto tcp dport $ports @subchain "ddos_check" { + # allow every exception as-is + saddr $exceptions ACCEPT; + + # connection tracking + mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT; + + # check for IPs overloading $hits/$seconds rate and block them + mod recent name "ddos_check" rcheck seconds $seconds hitcount $hits @subchain "ddos" { + mod recent set name "ddos" NOP; + + DROP; + } + + # register a packet in "ddos_check" list + mod recent set name "ddos_check" NOP; + + # check IP in "ddos" list + # if it exists and had been registered in the last $time seconds -- drop it + mod recent name "ddos" rcheck seconds $time DROP; + + # remove packet from "ddos" list + mod recent name "ddos" remove NOP; + + # allow ONLY new connections + mod conntrack ctstate NEW ACCEPT; + + DROP; + } +} + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID REJECT; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local connections + interface lo ACCEPT; + + # ban ip addresses for 1 day which connect more than 50 times in 3 seconds, + # exception is IP: 94.29.90.101 + &ANTIDDOS((80, 443), 50, 3, 86400, 94.29.90.101); + + # the rest is dropped by the above policy + } + + # outgoing connections are not limited + chain OUTPUT policy ACCEPT; + + # this is not a router + chain FORWARD policy DROP; +} -- 2.11.4.GIT