Network Layer Thresholding Response

Applying thresholding logic to iptables targets is accomplished with the iptables limit extension. For example, the limit extension can be used within an ACCEPT rule to limit the number of packets accepted from a specific source address within a given window of time. The following iptables rules restrict the policy to only accept 10 packets per second to or from the 144.202.X.X IP address.

[iptablesfw]# [iptablesfw]# [iptablesfw]# [iptablesfw]# [iptablesfw]# [iptablesfw]# [iptablesfw]# [iptablesfw]#

For each ACCEPT rule above that uses the limit match, there is also a corresponding DROP rule. This accounts for packets levels that exceed the 10-per-second maximum permitted by the limit match; once the packet levels are higher than this threshold, they no longer match on the ACCEPT rule and are then compared against the remaining rules in the iptables policy. It is frequently better to just refuse to communicate with an attacker altogether than to allow even thresholded rates of packets through.

You can also use the limit match to place thresholds on the number of iptables log messages that are generated by default logging rules. However, unless disk space is a concern, applying a limit threshold to a LOG rule is not usually necessary, because the kernel uses a ring buffer internally within the LOG target so that log messages are overwritten whenever packets hit a LOG rule faster than they can be written out via syslog.

Was this article helpful?

0 0

Post a comment