* best approach for blocklist
@ 2010-03-05 16:17 Dennis J.
2010-03-05 17:11 ` Payam Chychi
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Dennis J. @ 2010-03-05 16:17 UTC (permalink / raw)
To: netfilter
Hi,
I'm wondering what the most efficient way to implement a blocklist is. We
are basically talking about blocking a few thousand IPs. Does iptables do
some internal optimizations when blocking based on a source address or
would it be better to, say, create a chain for each class A net (e.g.
83.0.0.0/8) and then add the IPs in that range to that class to make the
matching more efficient?
Regards,
Dennis
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: best approach for blocklist
2010-03-05 16:17 best approach for blocklist Dennis J.
@ 2010-03-05 17:11 ` Payam Chychi
2010-03-05 17:43 ` Mike Wright
2010-03-05 17:48 ` Mart Frauenlob
2 siblings, 0 replies; 5+ messages in thread
From: Payam Chychi @ 2010-03-05 17:11 UTC (permalink / raw)
To: Dennis J.; +Cc: netfilter
anytime where you can use chains to jump from and not have to go
through a massive list its a good thing... id take the later option
--
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
On Fri, Mar 5, 2010 at 8:17 AM, Dennis J. <dennisml@conversis.de> wrote:
> Hi,
> I'm wondering what the most efficient way to implement a blocklist is. We
> are basically talking about blocking a few thousand IPs. Does iptables do
> some internal optimizations when blocking based on a source address or would
> it be better to, say, create a chain for each class A net (e.g. 83.0.0.0/8)
> and then add the IPs in that range to that class to make the matching more
> efficient?
>
> Regards,
> Dennis
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: best approach for blocklist
2010-03-05 16:17 best approach for blocklist Dennis J.
2010-03-05 17:11 ` Payam Chychi
@ 2010-03-05 17:43 ` Mike Wright
2010-03-05 17:48 ` Mart Frauenlob
2 siblings, 0 replies; 5+ messages in thread
From: Mike Wright @ 2010-03-05 17:43 UTC (permalink / raw)
To: Dennis J.; +Cc: netfilter
Dennis J. wrote:
> Hi,
> I'm wondering what the most efficient way to implement a blocklist is.
> We are basically talking about blocking a few thousand IPs. Does
> iptables do some internal optimizations when blocking based on a source
> address or would it be better to, say, create a chain for each class A
> net (e.g. 83.0.0.0/8) and then add the IPs in that range to that class
> to make the matching more efficient?
Have you considered ipset? I use it in various ways, sometimes to
allow, sometimes to deny. It supports IPs, NETs, ports, etc.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: best approach for blocklist
2010-03-05 16:17 best approach for blocklist Dennis J.
2010-03-05 17:11 ` Payam Chychi
2010-03-05 17:43 ` Mike Wright
@ 2010-03-05 17:48 ` Mart Frauenlob
2010-03-06 7:11 ` Weedy
2 siblings, 1 reply; 5+ messages in thread
From: Mart Frauenlob @ 2010-03-05 17:48 UTC (permalink / raw)
To: netfilter
On 05.03.2010 17:17, netfilter-owner@vger.kernel.org wrote:
> Hi,
> I'm wondering what the most efficient way to implement a blocklist is.
> We are basically talking about blocking a few thousand IPs. Does
> iptables do some internal optimizations when blocking based on a source
> address or would it be better to, say, create a chain for each class A
> net (e.g. 83.0.0.0/8) and then add the IPs in that range to that class
> to make the matching more efficient?
>
> Regards,
> Dennis
things i would take into consideration:
- drop in raw table (avoid conntrack)
- use user-defined chains
- use ipset to match many IPs
best regards
Mart
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: best approach for blocklist
2010-03-05 17:48 ` Mart Frauenlob
@ 2010-03-06 7:11 ` Weedy
0 siblings, 0 replies; 5+ messages in thread
From: Weedy @ 2010-03-06 7:11 UTC (permalink / raw)
To: netfilter
Mart Frauenlob wrote:
> On 05.03.2010 17:17, netfilter-owner@vger.kernel.org wrote:
>> Hi,
>> I'm wondering what the most efficient way to implement a blocklist is.
>> We are basically talking about blocking a few thousand IPs. Does
>> iptables do some internal optimizations when blocking based on a source
>> address or would it be better to, say, create a chain for each class A
>> net (e.g. 83.0.0.0/8) and then add the IPs in that range to that class
>> to make the matching more efficient?
There is a PDF I'm too lazy to google for about how the university of
florida mitigated a DDOS from a worm using TARPIT. Point being they had
to TARPIT hundreds of thousands of IPs and had to deal with the
performance issues behind that. It's a good read.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-03-06 7:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-05 16:17 best approach for blocklist Dennis J.
2010-03-05 17:11 ` Payam Chychi
2010-03-05 17:43 ` Mike Wright
2010-03-05 17:48 ` Mart Frauenlob
2010-03-06 7:11 ` Weedy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.