

Thoughts on a DDOS attack - davidgerard
http://freethoughtblogs.com/lousycanuck/2014/02/10/thoughts-on-a-dos-attack/

======
mkautzm
So there is a way to stop 'dumb' DDOS attacks at the firewall level with a few
cute rules:

Forward all traffic with the syn TCP flag into a filter that is set to limit
the number of connections based on your service. We currently have our set to
500/sec with a burst limit of 5 on a box that generates about 2-5Mbs of
traffic/sec. Add everything with said flag to that pool and drop everything
that goes over the limit.

It's effective against really dumb DDOS attacks (think LOIC) and it's simple
to roll out. The limiting factor will be your router, but it'd take some
pretty serious power to bring our $600 dollar router to it's knees. We fired 3
instances of LOIC at it and it barely showed up.

