Denial of service mitigation techniques? What do you do?

Ed Ravin eravin at
Fri Apr 8 14:58:46 UTC 2011

On Fri, Apr 08, 2011 at 09:54:08AM -0400, Paul Keck wrote:
> Someone privately pointed me at this thread
> I'm thinking maybe a script that watches the dhcp log and picks out MAC
> addresses that are pummeling.  Then it could either block the IP they are
> coming from for a while (bad because it would take out an entire building or
> VLAN in most cases due to requests coming from the helper-address, good
> because iptables is definitely up to it), or use the byte-offset functions
> in iptables to pick out just the bad discovers/requests from the specific
> MACs and drop those (good because it's specific, possibly bad because that
> will definitely make iptables work harder and might make us DOS ourselves a
> different way).  Either way, alert a human to go look for the bad machine
> before the block delay wears off.
> Anyone already have a good way around this?  Hate to reinvent the wheel.

Yes, this wheel has been invented more than once already.  Suggest you look
up "fail2ban" , it should be flexible enough to create/remove the iptables
entries for a configurable period of time.  And you will find it useful
for stopping brute force attacks on all your other daemons.

	-- Ed

More information about the dhcp-users mailing list