We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Rate limiting firewall rule?


vectr0n
2015-08-04, 05:59 PM
Quote Originally Posted by xjetc
Thanks for the reply.

Unfortunately I already have IPTABLES rules to limit SYN packets. That's how I found out 17 MILLION was sent because more than 16MIL of them were dropped by iptables.

This needs to be done at the OVH firewall so these SYN packets don't even reach the VPS.
Only way for that to happen is by following the steps located at: http://docs.ovh.ca/en/faqs-network.html#ddos-attack

DDoS Attack
Our servers all have DDoS protection included. However, the nature of DDoS attacks is always changing, and we have to constantly modify our system to stay up to date. In the event that our anti-DDoS doesn’t mitigate the attack, we would ask that you capture the traffic on your server and send us the logs. This way we can improve the anti-DDoS automatic detection.

To capture packets on any operating system, here is what you will need to do:

If LINUX: tcpdump -w capture-ovh -c 100000 port not ssh (this will create a file called capture-ovh)

If WINDOWS: Use Wireshark and save the info in a .pcap file

Note : You can always use the KVM from your OVH Manager to connect to your server if SSH is not wokring while under attack.

Ideally we would need around 100,000 packets (with a DDoS attack, that should happen within a second or two at most).

You can then send us the Capture file in your support ticket, or you can upload the file to http://demo.ovh.eu/ and provide the link to us. We will analyse the collected data and use it to further improve our Anti-DDoS protection for all OVH customers.

xjetc
2015-08-04, 05:57 PM
Thanks for the reply.

Unfortunately I already have IPTABLES rules to limit SYN packets. That's how I found out 17 MILLION was sent because more than 16MIL of them were dropped by iptables.

This needs to be done at the OVH firewall so these SYN packets don't even reach the VPS.


Quote Originally Posted by vectr0n

vectr0n
2015-08-04, 05:52 PM
Quote Originally Posted by xjetc
Is it possible to setup a rate limiting firewall rule?

Someone was able to send 17 MILLION SYN packets to my VPS within minutes, causing the kernel to crash.
You can find some information on iptables rate limited on the links below, hope this helps a bit:
https://www.debian-administration.or...ng_connections
http://www.microhowto.info/howto/lim..._iptables.html
http://www.cyberciti.biz/faq/iptable...-limits-howto/

xjetc
2015-08-04, 04:53 PM
Is it possible to setup a rate limiting firewall rule?

Someone was able to send 17 MILLION SYN packets to my VPS within minutes, causing the kernel to crash.