The 'recent' module in iptables allows you to automatically block IPs that open more than x connections in y seconds. As long as the ddos doesn't saturate your line, that'll help a lot.
On Thu, Sep 24, 2009 at 10:56 AM, Claudio Nanni <claudio.na...@gmail.com>wrote: > ....and in case it is feasible use a custom port to prevent specific > attacks > to mysql. > All clients and application servers will need to connect to the new port. > > Claudio > > > 2009/9/24 Willy <sangpr...@gmail.com> > > > Limit connection from trusted host will reduce it. And its better handled > > by firewall . > > > > > > Willy > > Sent from my Sony Ericsson XPERIA™ X1. > > > > -----Original Message----- > > From: John <j...@butterflysystems.co.uk> > > Sent: 24 September 2009 15:07 > > To: 'The Doctor' <doc...@doctor.nl2k.ab.ca>; mysql@lists.mysql.com > > Subject: RE: REstricting MySQL access to port 3306 > > > > I don't think there's anything specific to MySQL but for any system you > > should ensure you have a good well configured firewall set up, make sure > > antivirus software is installed and kept up to date, ensure programs only > > run with essential permissions and keep your system up to date with all > the > > latest security patches. This applies to windows AND Linux systems. > > > > You can reduce your exposure to SYN attacks by blocking all incoming > > packets > > from bad external IP addresses 10.0.0.0 to 10.255.255.255, 127.0.0.0 to > > 127.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to > > 192.168.255.255 as well as all internal addresses. > > > > Brute force attack exposure can be reduced by setting your router to > ignore > > broadcast addressing and setting your firewall to ignore ICMP requests, > how > > you do this will depend on your router/firewall. You should also block > all > > non-service UDP service requests for your network. Programs that need UDP > > will still work. > > > > It's also worth making regular visits to a site such as > > http://staff.washington.edu/dittrich/misc/ddos/ to find out what's new > in > > DDOS. Being well informed is half the battle! > > > > Regards > > > > > > > > John Daisley > > MySQL & Cognos Contractor > > > > Certified MySQL 5 Database Administrator (CMDBA) > > Certified MySQL 5 Developer (CMDEV) > > IBM Cognos BI Developer > > > > Telephone +44 (0)7812 451238 > > Email j...@butterflysystems.co.uk > > > > -----Original Message----- > > From: The Doctor [mailto:doc...@doctor.nl2k.ab.ca] > > Sent: 24 September 2009 07:38 > > To: mysql@lists.mysql.com > > Subject: REstricting MySQL access to port 3306 > > > > Some months a back I had to firewall port 3306 due to DDoS. > > > > I cannot do this now as a client needs 3306 outside the LAN. > > > > What can I do to prevent DDoS on my MySQL server? > > > > -- > > Member - Liberal International This is doc...@nl2k.ab.ca > > Ici doc...@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! > > Never Satan President Republic! > > For the latest World News go to http://www.cuttingedge.org/ > > > > -- > > MySQL General Mailing List > > For list archives: http:/ > > > > [The entire original message is not included] > > > > -- > > MySQL General Mailing List > > For list archives: http://lists.mysql.com/mysql > > To unsubscribe: > > http://lists.mysql.com/mysql?unsub=claudio.na...@gmail.com > > > > > > > -- > Claudio > -- That which does not kill you was simply not permitted to do so for the purposes of the plot.