Sure, you could just read the manual pages, but when your
site is under attack and you're the “first responder”, this little
book is just what you want in your sweaty fingers. It's also a handy
reference to the fields in IP, TCP, UDP, and ICMP packets, which can
be useful in interpreting packet dumps. Although intended as a
reference, it's well worth taking the time (less than an hour) to
read cover to cover. There are a number of very nice
facilities in iptables/Netfilter which permit responding to
common attacks. For example, the iplimit match allows
blocking traffic from the bozone layer (yes, you—I know who
you are and I know where you live) which ties up all of your HTTP
server processes by connecting to them and then letting them time out or,
slightly more sophisticated, feeding characters of a request every
20 seconds or so to keep it alive. The solution is:
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m iplimit \
--iplimit-above 20 --iplimit-mask 32 -j REJECT
Anybody who tries to open more than 20 connections will get whacked
on each additional SYN packet. You can see whether this rule is affecting
too many legitimate connections with the status query:
/sbin/iptables -L -v
Geekly reading, to be sure, but just the thing if you're responsible
for defending an Internet server or site from malefactors in the
Internet Slum.
February 2005