DDOS protection using iptables (recent module)
This article related to iptable recent module. which can be used to defend against the DDOS attack. This setup tested in bridged mode. Recent working with DDOS mitigation for one of the customer had give some interesting capabilities "recent module" of iptables. One of the website came under attack with extensive sync and "GET" request from distributed zombies. we could identify around 4000 - 5000 unique hosts. to define the attack pattern we have captured some traffic it had only sync and GET request nothing else to define the pattern. therefore I've conceptualized if the one host create more than 20 session during 100 seconds drop the packet. iptables -I FORWARD -p tcp --dport 80 -i bridge0 -m state --state NEW -m recent --set iptables -I FORWARD -p tcp --dport 80 -i bridge0 -m state --state NEW -m recent --update --seconds 100 --hitcount 20 -j DROP Initially i applied these rules but no traffic reduction. When i checked the source code static unsigned