We had a task to build a simple solution for DDOS protection on the learning phase of attack. Main goals were:
- To build it fast: We chose Ubuntu … as everything needed is compiled and build in.
- Minimum network intervention: We opted for L2/L3 bridge with iptables integration which we plugged between our autonomous system (AS) and internet.
- Auto learning offenders: Using honeypot service to distinguish non-legitimate connections. Log source IP address and drop packet with iptables. Using suricata ids to additionally analyze client requests.
- Auto block offenders: Using fail2ban to pars logs generated by iptables and suricata and temporary disable all connections from offending sources.
- Have some connection limit capabilities: Again we used iptables with connlimit and conntrack modules activated.