As network administrators, we often encounter situations where certain users or devices attempt to overwhelm our networks with excessive amounts of traffic. In such scenarios, implementing packet rate limiting plays a vital role in safeguarding against Denial-of-Service (DoS) attacks and preserving network stability and security.
In this tutorial, we’ll explore how to use iptables to implement packet rate limiting at the firewall level. We’ll understand the importance of this feature and look at examples along the way.
2. Rate Limiting by Protocol: the Pitfalls
Implementing rate limiting solely based on the protocol used, such as TCP or UDP, can have unintended consequences. Certain protocols, like ICMP (Internet Control Message Protocol), are essential for network health and troubleshooting. Excessive rate-limiting of ICMP packets, for example, can hinder network diagnostics, delay important error messages, and impact overall network performance.
Additionally, improperly implementing rate limiting by protocol might create a denial-of-service attack vector where attackers could abuse our own rules to hinder protocol access for everyone.
Therefore, it’s generally advisable to opt for rate limiting by source address, which provides more granular control.
3. Rate Limiting by Source Address: the Ideal Approach
Rate limiting by source address allows us to set limits based on the originating IP addresses of network packets. Furthermore, this approach offers more flexibility and precision in managing traffic.
By focusing on the source address, we can identify specific hosts, networks, or even geographical locations that may require rate limiting. It enables us to tailor our rate-limiting policies to suit our network’s specific needs.
4. Example Scenarios
Let’s explore three common scenarios where implementing packet rate limiting based on individual source IP addresses could prove beneficial.
4.1. Preventing Brute Force Attacks
Suppose we want to prevent potential brute force attempts to guess valid username and password combinations for the Secure Shell (SSH) service.
In this scenario, we can use packet rate limiting rules to limit the number of connections to the SSH port from the same IP address. Let’s use the following iptables commands to achieve this:
# iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
# iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 10 -j DROP
The above commands use the iptables extension recent, which allows us to dynamically create a list of IP addresses and match against them in different ways. In this example, we instruct iptables to drop connections from any IP address if it attempts to open more than 10 connections to the SSH port (22/tcp) within 120 seconds (two minutes). By using the NEW state, only new connections are impacted by this rule, not established ones.
Different iptables extensions can be used to achieve packet rate limiting. Next, we’ll explore the use of the conntrack extension to achieve a similar result.
4.2. Web Server Protection
Let’s assume we want to rate limit incoming requests to our web server to prevent Denial-of-Service (DoS) attacks and ensure fair resource allocation among users. We can achieve this using the iptables conntrack extension:
# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 20/min --limit-burst 30 -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 20/min --limit-burst 30 -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j DROP
# iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j DROP
First, we configure iptables to accept already established connections. Then, we define two rules that accept new connections to ports 80 and 443 while tracking the number of connections from each unique IP address. These rules continue to accept new connections as long as they don’t exceed the limit of 20 connections per minute from each IP address.
limit-burst denotes the initial number of packets that are allowed to match the rate limit. Each time the defined limit isn’t reached, it gets replenished by one. However, it won’t go beyond a maximum value of 30.
Additionally, the last two rules drop excessive connections that weren’t already accepted by the previous rules.
4.3. Bandwidth Management
In some cases, we might want to limit the total outbound bandwidth utilized by our server. We can use yet another iptables extension called limit for this purpose.
First, we’ll create a user-defined chain for rate limiting outbound traffic and then create a rule to limit the packet rate to 1 Megabit per second:
# iptables -N RATE_LIMIT
# iptables -A RATE_LIMIT -m limit --limit 1mbit/s -j ACCEPT
# iptables -A RATE_LIMIT -j DROP
# iptables -A OUTPUT -o eth0 -j RATE_LIMIT
The last rule applies the rate limit action on outgoing traffic through the eth0 interface.
Packet rate limiting has many use cases, including mitigating resource exhaustion attacks and addressing niche requirements. iptables is a versatile tool in a system administrator’s arsenal, offering various extensions for rate limiting such as conntrack, limit, and state, among others.
In this article, we explored the pitfalls of rate limiting by protocol and understood the benefits of rate limiting by source address. We then examined common scenarios for using iptables to set packet rate limits. By using the power of iptables, network administrators can enhance network stability, security, and resource allocation.