On Tuesday 28 March 2006 15:51, Reza - Asterisk Enthusiast wrote: > I know a number of software based firewalls for Linux, but is there any > software application out there, that utilizes relatively low CPU resources, > to prevent or slow down DDoS - that any of you have ACTUALLY implemented?
Iptables is all I've ever needed. You can use rate limit matching right there, priority queuing with tc and iproute2 to make sure that the traffic that IS getting through is sent in the order of priority instead of just best effort, and best of all, it's free and infinitely tuneable. > I have a Fortigate firewall solution on another server, but those toys are > expensive. I'm not ready to pitch in another large sum of money for > this... but at the end if I have to... I have to. I've never seen a real need for commercial firewalls unless you want the ability to yell at someone else to make something work. Off the top of my head: Have your router prioritize VOIP traffic and have everything else as best effort (I prefer more tuning than that but this is just to get the load off the box). Have your router flat-out DROP ssh traffic not coming from hosts/networks you are known to ssh in from. If you can, drop all traffic from networks you don't connect to for Asterisk traffic. If you don't have a router/firewall in front of this Asterisk box, you can do it right on the box. You won't reduce the traffic coming in, but you'll sure reduce the disk I/O and higher-level network traffic that comes with the system trying to interpret these DDoS attempts. > The quick fix is to allow SSH ONLY from my range of IP's - but that is only > a Band-Aid solution. What is disturbing though is that these "people with > no respect", are targeting my Asterisk Server. This is why it's bugging > me! It's unfortunately just The Way It Is on the Wild Wild (intar)Web. Unless you can get your upstream provider to help on their end of the pipe, you'll have to handle all of that traffic somehow. > Your thoughts and inputs on what measures you take to protect your servers > from DDoS is greatly appreciated... specially those of you who are running > Asterisk for business purposes! Just what's mentioned above. I have not *done* this yet, but one of the ideas is to tie in the firewall with the SIP/IAX2 registry so when a new client registers to me the firewall will stop best-efforting the SIP/IAX2 traffic from them. What this achieves is that even with a full pipe, you shouldn't end up with shitty audio. -A.
