GhostTyper Tux's lil' helper
Joined: 03 Apr 2004 Posts: 83 Location: Germany; BW
|
Posted: Thu Sep 27, 2018 3:34 am Post subject: [SOLVED] I want to filter udp packets by amount and source |
|
|
My firewall currently consists of a gentoo Linux box using iptables as a router in front of my servers. Those servers are connected with 1 GbE to the internet.
Some of the services I host are software like TeamSpeak or dns servers, which read udp packets. Currently, if one of those services is under a udp flood with small udp packets I will just ignore this, because those services can read most of those packets producing 100% cpu load on one core.
I will upgrade my internet connection to 10 GbE. This means, I can't allow udp floods on those services, because they just won't be able to eat all those packets and still respond in acceptable timeframes to valid packets.
I'm already limiting connections to tcp based services by source with -m connlimit and I would also have limited udp packets/sec or something like that if there were (at least I don't know of one) iptables modules which could do so.
I thought of programming software myself for this task. For instance, I could write software using libpcap and then count udp packets per source. However, I don't think this software could run fast enough to keep up with about 15 MPps. I could try to use tricks (one process with strict filters for one service, etc.) but this feels quite dirty and unmanageable. Additionally, libpcap would see packets still, if they are dropped by iptables. I also don't think I'm able to write a production ready iptables module myself in time, though.
So, the question is: Is there some already existing module, I'm just not aware of doing this task? Maybe nftables has a solution? Maybe a 3rd party module?
I would also consider paying such a module, because if there is no such solution, I will need to buy some hardware firewall appliance, costing me at least 10k €/$ if it's laid out in a redundant way.
Last edited by GhostTyper on Sat Sep 29, 2018 3:36 am; edited 1 time in total |
|