Skip to content

A transparent firewall for Intrusion Prevention and dDOS-Mitigation

by daimon on Februar 7th, 2012

A customer was under heavy dDOS-Attack, specifically SYN-Flood.The service has become unavailable because his (stateful) firewall cannot handle more then 128k concurrent sessions and began dropping legitimate ones.

We configured his Juniper Firewall to protect the network from SYN-Flood by limiting the maximum amount of SYN-Packets per IP per second, the maximum number of open sessions per IP and by enabling SYN-proxying.

At first, the Juniper-Firewall handled the load easily, and service was restored. The amount of illegitimate SYN Packets hit a ceiling at about 40MBit/second. The number of sessions dropped down to a more manageable value, but the CPU Usage was rising because of the work involved in tracking the connections to mitigate the SYN Flood.

But the attack volume was increasing. At some point about 60MBit/second, the Juniper reached its limits again, this time the CPU usage peaked.

I wanted to put another system in front of the firewall to relieve the firewall of the cumbersome load. This is difficult without provoking downtime and cumbersome with a normal Layer 3-Firewall, because you need another routing hop and so you will be forced to renumber your network range. But after some recherche, i discovered that Linux iptables can filter at the bridge level, so this appliance doesn’t even need an IP address (only for management).

All you need to do to take this appliance productive is putting it physically in line with the uplink and the ordinary (routing) firewall.

Setting up the system

install debian

apt-get install iptables ebtables bridge-utils


auto lo eth0 eth1

# Loopback Interface
iface lo inet loopback

# eth0: Uplink connection (incoming)
iface eth0 inet manual
        mtu 1500

# eth1: cleaned Traffic (outgoing)
iface eth1 inet manual
        mtu 1500
        post-up ifup br0

#br0: Ethernet bridge uplink <-> firewall
iface br0 inet static
        bridge_ports eth0 eth1
        bridge_stp off
        bridge_fd 0
        bridge_maxwait 0
        # iptables restore, bevor bridge hochgefahren wird
       pre-up iptables-restore < /etc/iptables.up.rules
        # IP for management
        gateway #uplink

You can add trunking/vlans any way you want, iptables filtering will work.



Load the sysctl.conf while booting:

update-rc.d procps defaults


:nominal-syn - [0:0]
:syn-flood - [0:0]
:non-syn - [0:0]
-A FORWARD -p tcp --syn -m hashlimit --hashlimit-above 50/sec --hashlimit-burst 100 --hashlimit-htable-expire 300000 --hashlimit-mode srcip --hashlimit-name synstop -j syn-flood
-A FORWARD -p tcp --syn -j nominal-syn
-A FORWARD -j non-syn
-A syn-flood -m recent --name blacklist --set
-A syn-flood -m limit --limit 3/minute --limit-burst 20 -j LOG --log-level 4 --log-prefix "SYN Flood: "
-A syn-flood -j DROP
-A nominal-syn -j ACCEPT
-A non-syn -j ACCEPT


Getting Information about the filtering process

#watch -n 1 “iptables -v -L FORWARD ”

gets you some information, including the number of dropped and passed packets/bytes per defined chain (see above):

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  18M  935M syn-flood  tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: above 50/sec burst 100 mode srcip htable-expire 300000
1067K   56M nominal-syn  tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
  20M   17G non-syn    all  --  any    any     anywhere             anywhere

List of “Bad Guys”:
In the blacklist you can see all IPs that violated the syn-flood limit:

cat /proc/net/xt_recent/blacklist

More Information


No comments yet

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS