It is not useful for small time attackers - small time attackers/children/etc just use booters which at least usually output double digit gbps, often spoofed, costs a cent or pay in runescape gold or other bullshit like that. Your upstream will need to mitigate this. No small scale attacker will be launching their own attacks (from their own machines), unless they were seriously incompetent but also think they're some form of power user, which doesn't really happen...
It is not useful for straight HTML - volumetric DDoS will take it out (not l7), it's not even going to make it to your machine. It does not mitigate well against any real major l7 flood either, just by virtue of "your pipe is smaller". A formal l7 attack would at least do basic recon to find a high resource consumption page (like search.php?q=%20 or something)
I guess this would come in maybe slightly useful with someone running ab or jmeter from a single machine toward you? But I don't know a single instance of that happening in the last decade..
I feel like there's a bunch of other things in play, like for example if you're running a public API, one api key should not be able to take you down - you should be rate limiting them against repeated hits, for instance.
I'm not saying iptables is bad per se, but this article in particular is just some overpriced hosting provider's blog that tells you to set things like kernel.panic in sysctl. The article also claims all of this to be a defense against DDoS, which really will probably just eat through your pipe completely most of the time, not single-person DoS.
"Small time attackers" are doing __distributed__ denial of service? I guess if they do not have enough bandwidth but has enough req/s, you can protect yourself something like the article suggests. In my dictionary DDOS is when they are jamming the pipes.
only for DoS, not DDoS. i.e. if you omit the distributed from Denial of Service, then iptables will work. Not so when the attack exhausts either your bandwidth or your stack's filtering capabilities. it's easy to rent GBits of distributed attack bandwidth.
Why? Isn’t this the kind post hacker news is all about ? Is there something about this post that’s misleading or false? I don’t see any explanation of facts to make me believe your comment ?
It can’t hurt or are you saying this is bad if you only have one server what about if your balancing your traffic over thousands of servers wouldn’t this help?
I am kind of curious what field you see attacks in, or how "most attacks are small" - even two slapfighting kids having a minecraft argument routinely exceeds 50-70Gbps+ from what I've seen..
Yes. It costs less than $1-3 for a month or week of 'service' with a maximum of typically 3-5 minutes per attack, you can pay with PayPal, you can pay with Runescape gold or Roblox/Fortnite/game of the month currency, sign in to a (typically really badly made novice PHP-based) panel, often behind Cloudflare free plan themselves, and enter an IP/hostname and click the button.
These typically use PHP scripts/perl scripts/whatever and fork off in the background to do some mix of sshing into some machines legitimately purchased or with stolen cards at crappy "offshore" providers that allow spoofing or otherwise to launch reflected DNS/NTP attacks, hitting upstream APIs that do the same (as a reseller of attacks), hitting uploaded webshells to do `fsockopen('udp://'...` on a ton of cheap shared hosting machines or hacked sites, usually old PHP CMS type stuff.
Comes complete with fake "terms of service" like how it's only meant to be used for legal testing of your own servers, but in practice that's effectively there as a joke.
Developing and running a multiplayer game for 11 years, and games definetly is one of the industries that has most DoS attacks. It's rare that attacks are 50-70 Gbps, and that large SYN attacks are definetly not common.
Reflection attacks of 50-70 Gbps are easily blocked by the firewall as the port is likely blocked.
If you think the post is harmful/incorrect or even off-topic then you can flag it. It's not clear from your comment that flagging would have been appropriate though, unless you find this disastrously bad for a post.
The problem is really that upvote means different things. If we had upvote correct and upvote interested we would be able to serve the now broad HN readership without downvote.
This can protect you from simple DoS attack by some script kiddie, not real DDoS attack. Just use CloudFlare or a provider that have active protections against DDoS attacks. Iptables will NOT help you with any real DDoS attack.
I think you overestimate what iptables can do and for what they are used today. Most of the DDoS filtering is done using XDP, BPF, not iptables. Articles you linked contradict your thesis. In first article they write there about iptables but they use XDP most of the time because it's a better/more efficient solution. In second article they are using iptables for routing, not preventing DDoS.
The author has one start out by implementing sysctl changes which have no relation to the subject matter at hand (printk, sysrq, panic, etc.). A number of comments on the article point out flaws and misconfigurations in the rulesets presented.
The complete lack of an explanation as to why those config changes have been made is also frustration. I think that these types of articles- where you're told what to do but not why- do a huge disservice and result in people building out on maintainable or hard to upgrade systems. A few comments would go a long way.
The problem is when you are not able to "eat" the whole DDoS without filling your link/links to your ISP/s. Then it does not matter how god you are at dropping at the edge of your datacenter, or what solution you are using.
While you can't block volumetric attacks on the server, this is something a hosting provider can help you with. Some have automatic volumetric DDoS detection and protection, like OVH, and some might be able to ask upstreams, internet exchanges to completely block all UDP traffic for certain subnets or even setup completely custom firewall rules, effectively preventing volumetric attacks from filling links within their global networks and of course from reaching your server. But you are still left with non-volumetric attacks that you need to use a firewall for, maybe even with some scripting to gather statistics and whitelist known good IPs and IP subnets in case of an attack. Maybe with mitigations on, for example, frontend web servers to avoid overloading much slower backends, databases, etc.
Also, even if the attack is small enough to block using iptables, you still have to have someone on call 24x7, and then spend time to figure out which ports/ips need blocked. If you use OVH or similar provider that has built-in DDoS protection, the mitigation will all happen automatically.
I wouldn’t bother with iptables. I’ve done it before and it quickly gets overrun on any large scale attacks. Cloudflare on your front end will stop a lot of garbage and take the brunt of volumetric attacks, or use nginx/varnish/haproxy to rate limit and or block attackers before they reach your app.
51 comments
[ 5.0 ms ] story [ 118 ms ] threadWould this hit a sweet spot between a grandma's blog with straight HTML and massively trafficked sites like Wikipedia?
Resource exhaustion seems like a useful feature of _some_ kind of system. What does that system look like?
It is not useful for straight HTML - volumetric DDoS will take it out (not l7), it's not even going to make it to your machine. It does not mitigate well against any real major l7 flood either, just by virtue of "your pipe is smaller". A formal l7 attack would at least do basic recon to find a high resource consumption page (like search.php?q=%20 or something)
I guess this would come in maybe slightly useful with someone running ab or jmeter from a single machine toward you? But I don't know a single instance of that happening in the last decade..
I'm not saying iptables is bad per se, but this article in particular is just some overpriced hosting provider's blog that tells you to set things like kernel.panic in sysctl. The article also claims all of this to be a defense against DDoS, which really will probably just eat through your pipe completely most of the time, not single-person DoS.
Just as real as anything else...
You want to drop unwanted traffic before you start spending more cycles on it.
These typically use PHP scripts/perl scripts/whatever and fork off in the background to do some mix of sshing into some machines legitimately purchased or with stolen cards at crappy "offshore" providers that allow spoofing or otherwise to launch reflected DNS/NTP attacks, hitting upstream APIs that do the same (as a reseller of attacks), hitting uploaded webshells to do `fsockopen('udp://'...` on a ton of cheap shared hosting machines or hacked sites, usually old PHP CMS type stuff.
Comes complete with fake "terms of service" like how it's only meant to be used for legal testing of your own servers, but in practice that's effectively there as a joke.
There's a huge market of these, "step by step" guides on youtube with affiliate links to these services, like https://www.youtube.com/watch?v=tHKBZr00IOA for example.
Reflection attacks of 50-70 Gbps are easily blocked by the firewall as the port is likely blocked.
Sure they have bigger "tubes" as well
https://blog.cloudflare.com/how-we-built-spectrum/
https://blog.cloudflare.com/how-to-drop-10-million-packets/
https://www.esecurityplanet.com/products/top-ddos-vendors.ht...
"Cloudflare WAF supports the OWASP ModSecurity Core Rule Set by default" https://www.cloudflare.com/waf/
Iptables definetly can help with real ddos attacks.
Maybe we have different definitions of real DDoS attacks. What you mean is probably DoS attack, not DDoS (distributed).
If you have 1 gigabit pipe I can DoS (from one machine) you with 10 gigabit machine with ease and iptables will not help you at all.
Most attacks are usually small(<10 Gbps) and effective iptables rules can go a long way, both against unwanted application traffic and packet floods.
Iptables is there to ensure you can handle as many packets as possible per second, not bandwidth.
Your server would be dead in any large scale attack anyway, iptables is fine and works well
Please stop this non-sense, there are too many ICMP blackholes already.
don't be lazy, don't drop ICMP and just do proper filtering.