Not at home but its just a cronjob running every x minutes and checking via netstat how many connections I get from every single IP. If I get say 20000 connections from a single IP it would be blocked with iptables.
Nothing fancy at all but it works as long as there are very few IPs ddosing me. It fails if there is a botnet and/or multiple /22 who connect to only a few ports per IP. I am sure a fancy Cisco Next Generation Firewall would be much better but I am too poor to even look at it.
Tracking every connection with iptables is very cpu intensive if you have a few 100k connections running on every server … so not really doable.
Right now my problem is: Whats all this about.
- I got no love letter beginning with: "If you want to stay online send us x Bitcoins to …. “ so this is not blackmailing me …
- In case some abuse pissed someone off and they decided to shut me down. This is an expensive attack over multiple days and high amounts of traffic. I doubt that someone is throwing a bunch of money in this just because they are pissed.
- State actors aka Russia trying to shut the network down? In this case they should be attacking others too. No answers in here = doesn't look like they do …
On 21. Feb 2021, at 12:12, Toralf Förster toralf.foerster@gmx.de wrote:
On 2/20/21 12:29 PM, niftybunny wrote:
We already changed the timers on the TCP connections and we have scripts running which are blocking IPs who will send us x0000 connections. Right now they changed tactics and for me it looks like SYNC flood from datacenter IP ranges and a few 100 IPs which undermine the easy blocking.
Would an iptables ruel with "recent" and "limit" be a solution here ? If yes, how do you use that (do you have a code snippet)?
-- Toralf _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays