2. Hashlimits - limit rate of connections • Rate limit SYN packets per IP 3. Ipset - blacklisting of IP addresses • Manual blacklisting - feed IP blacklist from HTTP server logs • Supports subnets, timeouts • Automatic blacklisting hashlimits 56
• Disable HTTP keep-alives • Make it a SYN flood 57 ! GET / HTTP/1.1! Host: www.example.com! ! GET / HTTP/1.1! Host: www.example.com! ! GET / HTTP/1.1! Host: www.example.com! ...!
packet flood L3 DROP bad packets Match on BPF High volume packet flood L4 DROP bad packets Conntrack Botnet L7 Limit damage for each bot Connlimit Hashlimit Ipsets Very large botnet L7+ DROP bad requests Match HTTP request in TCP packets
that • DROP all the packets! (only 1 in 10k could be valid!) • With BPF • Partial kernel bypass for better speed • Iptables are powerful • Connlimit, hashlimits, ipsets marek@cloudflare.com @majek04 Thanks!
backlog capped to ! 3. SYN backlog capped to ! 4. Rounded to next power of two 67 sysctl -w net.ipv4.tcp_max_syn_backlog = 65535 listen(int sockfd, int backlog) sysctl -w net.core.somaxconn = 65535 127 --> 128 128 -->256