Skip to content

Instantly share code, notes, and snippets.

@Calvin-Huang

Calvin-Huang/ddos-mitigation-notes.md

Forked from shikendon/ddos-mitigation-notes.md
Created March 30, 2018 02:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Calvin-Huang/5d8c4b4789b7a04c7352e9ef2187f8bf to your computer and use it in GitHub Desktop.
Save Calvin-Huang/5d8c4b4789b7a04c7352e9ef2187f8bf to your computer and use it in GitHub Desktop.
Download ZIP
Best Practices for DDoS Protection and Mitigation on Linux
Raw
ddos-mitigation-notes.md

DDoS protection - Using Netfilter/iptables @ DevConf.cz Feb 2014

  • Disable TCP loose mode
  • Disable TCP forwarding
  • Enable SYN cookies
  • Enable TCP timestamping
  • Use SYNPROXY module (Optional)

/etc/sysctl.conf

net.netfilter.nf_conntrack_tcp_loose = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.ip_forward = 0

How To Build Your Own DDoS Protection With Linux & IPtables

  • Use the mangle table and the PREROUTING chain

Iptables tables and chains Diagram

Full iptables configuration: https://gist.github.com/shikendon/5cfd3e1cf2181b884fb87d49e1afa695

Other notes:

  • synsanity only works on 3.x kernels
  • Google BBR only available on 4.7+ kernels
  • Use iptables instead of firewalld
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment