Page 32 - index
P. 32
filter, and a very brief list structured to work with SolarSecure™ might look something like this;
note execution starts at “start_src_filter”:
set_max_channels 2
set_default_action accept
set_max_objects 5
set_max_miniaddrs 5
ip4tbl_alloc high_risk linear 3 none
start_code
accept:
load 1 r0
stop
reject:
load 0 r0
stop
start_src_filter:
test_ip4
jmp_if_not accept
append_ip4_src pkey
lookup high_risk p1
stop
end_code
ip4tbl_insert high_risk 160.1.1.0/24 reject
ip4tbl_insert high_risk 2.0.334.152/1 reject
ip4tbl_insert high_risk 31.131.30.210/1 reject
To use this filter you would simply start the filter engine and tell it where to enter the
configuration file. Suppose we saved the above text in a file called “example.conf” then the
command used to start SolarSecure™, and load the configuration file would be:
solsec_fe –I eth2 go example.conf start_src_filter
Rate Limiting Inbound Traffic
Next we should rate limit or throttle back incoming packets by IP address. This keeps traffic
flowing, but allows you to retain a handle on any attackers. In our example we permit 1,000
packets per second by restricting packet flow to 10 packets every 10 milliseconds from any
given address. If someone were uploading a file to your server this would establish roughly a
12Mbps bandwidth limit (1,000 packets of 1,500 bytes each per second), which is typically ten
times faster than the average US residential upload speed. If this were in-fact an attacker from
a well-connected cloud provider it would restrict them to the same 1,000 packets per second
instead of potentially tens of millions of packets per second. Since most of these attacks utilize
small packets even the most powerful attacker would only consume typically 500Kbps of
bandwidth or 1/20,000 of your link bandwidth, versus all of it. This could mean the difference
between your server experiencing a minor annoyance versus being shutdown. Here is an
example of a rate-limiting filter (sans header), note the entry point is “rate_limit_1kpps”:
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
