June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
3.16. Preventing Denial of Service Attacks
Problem
You want to prevent denial of service (DOS) attacks against a network service.
Solution
For
xinetd
, use the cps,
instances, max_load, and
per_source keywords.
/etc/xinetd.conf or /etc/xinetd.d/myservice: service myservice { ... cps = 10 30 Limit to 10 connections per second. If the limit is exceeded, sleep for 30 seconds. instances = 4 Limit to 4 concurrent instances of myservice. per_source = 2 Limit to 2 simultaneous sessions per source IP address. Specify UNLIMITED for no limit, the default. max_load = 3.0 Reject new requests if the one-minute system load average exceeds 3.0. }
For inetd, use the inetd -R option to specify the maximum number of times a service may be invoked per minute. The default is 256.
Discussion
These keywords can be used individually or in combination. The
cps keyword limits the number of connections per
second that your service will accept. If the limit is exceeded, then
xinetd will disable the service temporarily. You
determine how long to disable the service via the second argument, in
seconds.
The instances keyword limits the number of
concurrent instances of the given service. By default there is no
limit, though you can state this explicitly with:
instances = UNLIMITED
The per_source keyword is similar: instead of
limiting server instances, it limits sessions for each
source IP address. For
example, to prevent any remote host from having multiple FTP
connections to your site:
/etc/xinetd.conf or /etc/xinetd.d/ftp: ...