This article will introduce you to the method of restricting the same IP connection to prevent CC/DDOS attacks from Iptables in linux, this is only the most based prevention method, if the real attack we still need hardware to prevent it.
1. The maximum number of IP connections connected to port 80 is 10, which can be customized and modified. (Maximum connection per IP)
service iptables save
service iptables restart
The above two effects are the same, it is recommended to use the first one,
iptables, a firewall tool, I believe that almost all O&M friends use it. As we all know, iptables has three ways to handle incoming packets, namely ACCEPT, DROP, REJECT. ACCEPT is easy to understand, but what is the difference between REJECT and DROP? One day I heard Sery's explanation and felt that it was easy to understand:
"It's like a liar calling you,drop is to reject it directly. If you reject, it is equivalent to you calling back the scammer.”
In fact, many people have asked this question since a long time ago about whether to use DROP or REJECT. REJECT actually returns one more ICMP error message package than DROP, and the two strategies have their own advantages and disadvantages, which can be summarized as follows:
DROP is better than REJECT in terms of resource savings, and slowing down the progress of the hack (because it does not return any information about the server to the hacker); The bad thing is that it is easy to make it difficult to troubleshoot network problems of enterprises, and it is easy to exhaust all bandwidth in the event of a DDoS attack.
|
Posted on 7/9/2016 10:09:05 PM
|
|
|
