Recipe 3.16 Preventing Denial of Service Attacks

3.16.1 Problem

You want to prevent denial of service (DOS) attacks against a network service.

3.16.2 Solution

For xinetd , use the cps, instances, max_load, and per_source keywords.

/etc/xinetd.conf or /etc/xinetd.d/myservice:
service myservice
      cps = 10 30     Limit to 10 connections per second.
                      If the limit is exceeded, sleep for 30 seconds.
      instances = 4   Limit to 4 concurrent instances of myservice.
      per_source = 2  Limit  to 2 simultaneous sessions per source IP address.
                      Specify UNLIMITED for no limit, the default.
      max_load = 3.0  Reject new requests if the one-minute system load average exceeds 3.0.

For inetd, use the inetd -R option to specify the maximum number of times a service may be invoked per minute. The default is 256.

3.16.3 Discussion

These keywords can be used individually or in combination. The cps keyword limits the number of connections per second that your service will accept. If the limit is exceeded, then xinetd will disable the service temporarily. You determine how long to disable the service via the second argument, in seconds.

The instances keyword limits the number of concurrent instances of the given service. By default there is no limit, though you can state this explicitly with:

instances = UNLIMITED

The per_source keyword is similar: instead of limiting server instances, it limits sessions for each source IP address. For example, to prevent any remote host from having multiple FTP connections to your site:

/etc/xinetd.conf or /etc/xinetd.d/ftp:
service ftp
        per_source = 1

Finally, the max_load keyword disables a service if the local system load average gets too high, to prevent throttling the CPU.

inetd is less flexible: it has a -R command option that limits the number of invocations for each service per minute. The limit applies to all services, individually. If the limit is exceeded, inetd logs a message of the form:

telnet/tcp server failing (looping), service terminated

Actually, the service isn't terminated, it's just disabled for ten minutes. This time period cannot be adjusted.

Some firewalls have similar features: for example, iptables can limit the total number of incoming connections. On the other hand, iptables does not support the per_source functionality: it cannot limit the total per source address.

3.16.4 See Also


    Chapter 9. Testing and Monitoring