outgoing DOS protection for hotspots

glucz · March 29, 2010, 10:11am

I have a hotspot that has recently been used to DOS others. Thus I want to limit the maximum number of connections to the same destination IP’s.

I have seen incoming DOS protection in this forum where someone set up a filter with connection limiting like 10,32 where 10 is the number of connections and 32 is the IP mask of the originating address … so in this case the same IP starts all 10 connections.

I want to do the same, but I want to control the destination IP and not the source IP … since my hostpot is the source IP.

Does anyone know how to do this? … or someone explain to me if the filter parameters regarding the connection limiting have different meaning for incoming, forward and the output chain?

Thanks
GL

Feklar · March 29, 2010, 6:55pm

You can limit them on the forward chain of the filter rules.

This is what we are currently using on our hotspot:

add action=drop chain=forward comment="" disabled=no in-interface=\
    "Guest Network" src-address-list=abuse
add action=add-src-to-address-list address-list=abuse address-list-timeout=2h \
    chain=forward comment="" connection-limit=200,32 disabled=no \
    in-interface="Guest Network" protocol=tcp src-address=192.168.50.0/23 \
    src-address-list=!Do-Not-Block
add action=log chain=forward comment="" disabled=no log-prefix=\
    "Abuse Limit Reached" src-address-list=abuse

If anyone has more than 200 TCP sessions open at once it will add them to an address list and drop all of their packets for the next 2 hours. It also adds a line to the log that the abuse limit was reached, so if you have it sending the logs to a different server you can review if/when someone was blocked. It also lets you set up an address list of IP addresses that you do not want to block, so if you have a permanent computer or price of hardware it will be exempt from these rules.