I need to keep out all connection from 5 countries, which originate most of the Denial of Service attacks. The entries are around 9000 if used as xx.xx.0.0/16. I heard that there is a smarter way to do this by using User Tables in iptables, that will keep the speed equal to LOG(x). I already tried using a straight list and it kills the box. Unless a smarter way us found, there is no way to use iptables. Federico
On 07/15/2011 12:47 PM, CDR wrote:> I need to keep out all connection from 5 countries, which originate > most of the Denial of Service attacks. The entries are around 9000 if > used as xx.xx.0.0/16. I heard that there is a smarter way to do this > by using User Tables in iptables, that will keep the speed equal to > LOG(x). I already tried using a straight list and it kills the box. > Unless a smarter way us found, there is no way to use iptables.iptables is just a user-space configuration interface to the Linux kernel netfilter. The netfilter uses complex hash tables and other data structures to ensure that packet forwarding rules are looked up in as close to O(1) as possible, not even LOG(n)--LOG(n) would be way too expensive. Other than conventional Cisco router access lists (notwithstanding compiled lists an TurboACL), I don't know of any other packet filter in the universe that does not do similarly. No packet filter would apply a flat list, not the Linux netfilter, not the BSD packet filter, not even Windows. I am not sure what you mean by "User Tables" or in what context you "already tried using a straight list"? What list? Where? Illuminating that information would go a long way toward solving your question. Also, don't post as "CDR". That's just retarded. -- Alex -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
On Fri, Jul 15, 2011 at 12:47 PM, CDR <venefax at gmail.com> wrote:> I need to keep out all connection from 5 countries, which originate > most of the Denial of Service attacks. The entries are > around 9000 if used as xx.xx.0.0/16. I heard that there is a smarter > way to do this by using User Tables in iptables, that will keep the > speed equal to LOG(x). I already tried using ?a straight list and it > kills the box. Unless a smarter way us found, there is no way to use > iptables. > > FedericoDROP will remove the vast majority of bad networks. Fail2ban[2] for the rest or recent[3] with triggers at port 139 will get the rest. [1] http://www.spamhaus.org/drop/ [2] http://www.fail2ban.org/wiki/index.php/Main_Page [3] http://snowman.net/projects/ipt_recent/ -- ~~~ Andrew "lathama" Latham lathama at gmail.com ~~~
On Fri, Jul 15, 2011 at 12:47 PM, CDR <venefax at gmail.com> wrote:> I need to keep out all connection from 5 countries, which originate > most of the Denial of Service attacks. The entries are > around 9000 if used as xx.xx.0.0/16. I heard that there is a smarter > way to do this by using User Tables in iptables, that will keep the > speed equal to LOG(x). I already tried using ?a straight list and it > kills the box. Unless a smarter way us found, there is no way to use > iptables. > > Federico >Are you matching on new packets/connections only or all packets? -M
>> > I need to keep out all connection from 5 countries, which originate >> > most of the Denial of Service attacks. The entries are around 9000 if >> > used as xx.xx.0.0/16. I heard that there is a smarter way to do this >> > by using User Tables in iptables, that will keep the speed equal to >> > LOG(x). I already tried using a straight list and it kills the box.Yeah, it would - running through 9000 separate rules for each packet would be prohibitive.>> > Unless a smarter way us found, there is no way to use iptables.Ideally, what you'd want to do is to somehow "pre-load" one of the really efficient matching modules in iptables (e.g. a hash table) with a list of the network numbers in question, and then be able to do a fast hashed lookup using each incoming packet's upper 16 bits... a hit in the table would indicate a reject, a miss would mean that the packet was OK for further inspection and processing. It looks to me as if there *is* a way to do this, but may require adding an iptables/netfilter module that is not part of the standard distribution. It's called the "set" module. Take a look at http://ipset.netfilter.org/ and I think you'll like what you see... it'll do what you want. Briefly, you'll need to: - Build this module for your kernel, and load it - Use the "ipset" command to create an IP-address set, and populate it with the 9000 different /16 entries you want to match against. I think the "ipmap" type is what you would want, as this can store up to 65536 entries and uses a single bit for each same-sized address range... lookup time would be constant. "iphash" is another possibility. - Use a single "iptables" rule to match incoming packets against this set.> iptables is just a user-space configuration interface to the Linux > kernel netfilter. The netfilter uses complex hash tables and other data > structures to ensure that packet forwarding rules are looked up in as > close to O(1) as possible, not even LOG(n)--LOG(n) would be way too > expensive. > > Other than conventional Cisco router access lists (notwithstanding > compiled lists an TurboACL), I don't know of any other packet filter in > the universe that does not do similarly. No packet filter would apply a > flat list, not the Linux netfilter, not the BSD packet filter, not even > Windows.The trick is using the right filtering approach. Doing it the naive way (one separate iptables rule per /16) would indeed kill the system's performance pretty badly. The right approach which will work, is one which can match incoming addresses against a complex set of yes/no criteria in constant or near-constant time. I don't believe that the standard "iptables" distribution contains a module which can do this... but the "ipset" extension module can, and is probably what the original poster wants. I may have to play around with this approach myself. Federico, do you mind if I ask which countries you're blocking, and which source you used to locate the /16 blocks in question?