
DDoS Protection With IPtables - _o-O-o_
https://javapipe.com/blog/iptables-ddos-protection/
======
gravitas
The author has one start out by implementing sysctl changes which have no
relation to the subject matter at hand (printk, sysrq, panic, etc.). A number
of comments on the article point out flaws and misconfigurations in the
rulesets presented.

~~~
tedivm
The complete lack of an explanation as to why those config changes have been
made is also frustration. I think that these types of articles- where you're
told what to do but not why- do a huge disservice and result in people
building out on maintainable or hard to upgrade systems. A few comments would
go a long way.

------
NightlyDev
A lot of people seems to be thinking that it is pointless to use iptables to
drop unwanted traffic in 2019. That is far from the truth.

Most attacks are usually small(<10 Gbps) and effective iptables rules can go a
long way, both against unwanted application traffic and packet floods.

~~~
ventris
The problem is when you are not able to "eat" the whole DDoS without filling
your link/links to your ISP/s. Then it does not matter how god you are at
dropping at the edge of your datacenter, or what solution you are using.

~~~
zzzcpan
While you can't block volumetric attacks on the server, this is something a
hosting provider can help you with. Some have automatic volumetric DDoS
detection and protection, like OVH, and some might be able to ask upstreams,
internet exchanges to completely block all UDP traffic for certain subnets or
even setup completely custom firewall rules, effectively preventing volumetric
attacks from filling links within their global networks and of course from
reaching your server. But you are still left with non-volumetric attacks that
you need to use a firewall for, maybe even with some scripting to gather
statistics and whitelist known good IPs and IP subnets in case of an attack.
Maybe with mitigations on, for example, frontend web servers to avoid
overloading much slower backends, databases, etc.

------
sdeziel
From the article: "This drops all ICMP packets. ICMP is only used to ping a
host to find out if it’s still alive."

Please stop this non-sense, there are too many ICMP blackholes already.

~~~
kazen44
if you are running IPv6, disabling ICMP is a very bad idea because it disables
MTU path discovery.

don't be lazy, don't drop ICMP and just do proper filtering.

~~~
fulafel
Same for ipv4.

------
StreamBright
This is not real DDoS protection since it does not deal with jamming the
pipes. It is more of a resource exhaustion protection.

~~~
RobertRoberts
Would this be useful for small lightly trafficked sites that may get hit by
small time attackers?

Would this hit a sweet spot between a grandma's blog with straight HTML and
massively trafficked sites like Wikipedia?

Resource exhaustion seems like a useful feature of _some_ kind of system. What
does that system look like?

~~~
dylz
It is not useful for small time attackers - small time attackers/children/etc
just use booters which at least usually output double digit gbps, often
spoofed, costs a cent or pay in runescape gold or other bullshit like that.
Your upstream will need to mitigate this. No small scale attacker will be
launching their own attacks (from their own machines), unless they were
seriously incompetent but also think they're some form of power user, which
doesn't really happen...

It is not useful for straight HTML - volumetric DDoS will take it out (not
l7), it's not even going to make it to your machine. It does not mitigate well
against any real major l7 flood either, just by virtue of "your pipe is
smaller". A formal l7 attack would at least do basic recon to find a high
resource consumption page (like search.php?q=%20 or something)

I guess this would come in maybe slightly useful with someone running ab or
jmeter from a single machine toward you? But I don't know a single instance of
that happening in the last decade..

~~~
brians
It’s great against mistaken API clients. Murphy is the most frequent adversary
I encounter.

~~~
dylz
I feel like there's a bunch of other things in play, like for example if
you're running a public API, one api key should not be able to take you down -
you should be rate limiting them against repeated hits, for instance.

I'm not saying iptables is bad per se, but this article in particular is just
some overpriced hosting provider's blog that tells you to set things like
kernel.panic in sysctl. The article also claims all of this to be a defense
against DDoS, which really will probably just eat through your pipe completely
most of the time, not single-person DoS.

------
lossolo
This can protect you from simple DoS attack by some script kiddie, not real
DDoS attack. Just use CloudFlare or a provider that have active protections
against DDoS attacks. Iptables will NOT help you with any real DDoS attack.

~~~
RobertRoberts
Is there any other provider besides CloudFlare for DoS/DDoS protection?

~~~
Gluten
OVH servers include a pretty efficient DDoS protection. It was the only option
for hosting my online game servers that didn't cost tens of thousands.

------
xmichael999
Submissions like this one make me wish Hacker News had a downvote button...

~~~
taf2
Why? Isn’t this the kind post hacker news is all about ? Is there something
about this post that’s misleading or false? I don’t see any explanation of
facts to make me believe your comment ?

~~~
dylz
iptables to defend against an attack will not accomplish much in 2019. It's
pretty much futile to even try.

~~~
taf2
It can’t hurt or are you saying this is bad if you only have one server what
about if your balancing your traffic over thousands of servers wouldn’t this
help?

~~~
nicolaslem
The only way to protect yourself is having a bigger pipe than the bad guys.
Only a handful of companies have these big pipes.

------
eeeeeeeeeeeee
I wouldn’t bother with iptables. I’ve done it before and it quickly gets
overrun on any large scale attacks. Cloudflare on your front end will stop a
lot of garbage and take the brunt of volumetric attacks, or use
nginx/varnish/haproxy to rate limit and or block attackers before they reach
your app.

~~~
Funnnny
cloudflare used to use iptables with SYNPROXY, simple blocking rule and later
BPF matching.

Your server would be dead in any large scale attack anyway, iptables is fine
and works well

