Apples to oranges comparison to commercial appliances ... too much to list when mobile unfortunately
Sent from my iPhone > On Jul 19, 2017, at 10:56 AM, Dev <d...@logicalwebhost.com> wrote: > > It seems MT is setting up rate limits like: > > dst-limit=32,32,src-and-dst-addresses/10s > > and then adding them to a blacklist which the firewall queries, or routing > them to a tarpit like: > > connection-limit=3,32 action=tarpit > > to hopefully slow them down. Or limit SYN connections like: > > tcp-flags=syn limit=400,5 > > But you could do the same with a combination of iptables, kernel mods, and > SYNPROXY that would rate limit, but also block a host malformed packets, > spoofing, establish whether you’re just getting hit with bogus SYN, etc. So > in a way, native kernel + iptables has a more full-featured set of tools than > MT? You could also extend this as needed, rather than waiting for MT to get > around to it. > > You could buy a really expensive appliance, but they’d be largely doing the > same things, so is there some other secret sauce they have that stops DDoS in > interesting ways? It seems like this would cost less than a Lexus. > > I guess a commercial appliance would have a nice GUI that would be expensive > and time-consuming to build, which I don’t care about, I’d mostly monitor > through centralized syslog and then just watch that enterprise-wide to see > problems, which we’re already doing in other contexts. > > > >> Depending on what you are trying to do, MT can do that, it's just a matter >> of creating the firewall rules. :) > >> -----Original Message—— >> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart >> Sent: Tuesday, July 18, 2017 8:27 PM >> To: af@afmug.com >> Subject: Re: [AFMUG] DIY DDoS box with iptables? > >> I guess it depends on what you are trying to accomplish here ?. are you >> looking to scrub the traffic clean or just block dirty traffic? > How will >> you determine what traffic is dirty and apply rules on the fly? > >> Sorry - many questions come to mind here and don?t mean to sound negative >> but it seriously comes down to expectations. I?m > aware of one company >> that I?ve seen that built their own - they spent three years developing it >> to their needs with 4 developers > working on nothing but it ? at the end of >> the day they spend more money than just buying an Arbor system and still >> spend > considerable dollars trying to maintain it ?. > > >> On Jul 18, 2017, at 5:21 PM, Dev <d...@logicalwebhost.com> wrote: >> >> What is the feasibility of building a DDoS protection box out of a bare >> Linux server running a dual-10G/40G NIC inline with iptables handling junk >> traffic, and then a third eth for management? Seems like the 10G/40G card >> could help scrub traffic before it hits your core? Has anyone built one? >> I?ve heard about CCR?s, but my experience with MT has been...weird, they >> just do weird stuff from time to time, YMMV, etc. etc., but I?ve had better >> luck with Cisco and the usual suspects. It seems like a purpose built >> vanilla Linux box would be easily upgradeable, universally supported with >> vanilla kernel support, etc. and you could just tweak stuff until you got it >> dialed, no?