Denial of service mitigation techniques? What do you do?
eravin at panix.com
Fri Apr 8 14:58:46 UTC 2011
On Fri, Apr 08, 2011 at 09:54:08AM -0400, Paul Keck wrote:
> Someone privately pointed me at this thread
> I'm thinking maybe a script that watches the dhcp log and picks out MAC
> addresses that are pummeling. Then it could either block the IP they are
> coming from for a while (bad because it would take out an entire building or
> VLAN in most cases due to requests coming from the helper-address, good
> because iptables is definitely up to it), or use the byte-offset functions
> in iptables to pick out just the bad discovers/requests from the specific
> MACs and drop those (good because it's specific, possibly bad because that
> will definitely make iptables work harder and might make us DOS ourselves a
> different way). Either way, alert a human to go look for the bad machine
> before the block delay wears off.
> Anyone already have a good way around this? Hate to reinvent the wheel.
Yes, this wheel has been invented more than once already. Suggest you look
up "fail2ban" , it should be flexible enough to create/remove the iptables
entries for a configurable period of time. And you will find it useful
for stopping brute force attacks on all your other daemons.
More information about the dhcp-users