This howto will help you to block some of most TCP-based DDoS attcks. Although ddwrt has very good firewall it does not hurt to add some extra rules as long as you know what are you doing.
To chek if you caught something do from CLI
iptables -t mangle -I PREROUTING -m conntrack --ctstate INVALID -j DROPThis rule blocks all packets that are not a SYN packet and don't belong to an established TCP connection.
iptables -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROPThis blocks all packets that aren't new (don't belong to an established connection) and don't use SYN flag. This rule is similar to the above rule but I found that it catches some packets that other ones doesn't.
iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROPThe above rule blocks new packets (only SYN packets can be new packets) that use a TCP MSS value that is not common.
To chek if you caught something do from CLI
iptables -vnL -t mangle
No comments:
Post a Comment