On Linux Servers With IPTABLES
Rate limiting is a technique used to control the rate at which network traffic is sent or received. It can be used to prevent network congestion and protect against malicious attacks such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. One way to implement rate limiting is by using iptables, the Linux kernel’s built-in firewall. It is best security practice to implement rate limiting on all of our applications which use the TCP/IP stack.
Iptables is a command-line tool that allows you to configure the Linux kernel’s firewall. It is a powerful tool that can be used to filter, nat and mangle network traffic. One of the features of iptables is the ability to limit the rate of incoming or outgoing traffic.
To implement rate limiting using iptables, you can use the limit and burst options. The limit option sets the maximum number of packets that can be sent or received in a given time period, while the burst option sets the maximum number of packets that can be sent or received in a short period of time (also known as the burst rate).
–limit [rate[/unit]]
The number of packets to let through per unit of time. Each time a packet is matched, an internal counter of packets to allow in the future is decreased by one. Further, the counter is increased by one rate times every unit of time, up to the maximum determined by –limit-burst. If no argument is given, defaults to 3/hour. If no unit is given, defaults to second.
–limit-burst [count]
Set the count of packets that will be matched in a single “burst.” This value is used to initialize an internal allowed-packet counter (so that up to count packets can be matched before the first unit of time), and also determines the maximum value of that counter (so that no more than count packets will ever
be allowed in a single unit of time). If count is not given, defaults to 5
For example, to limit incoming traffic to 100 packets per second, you can use the following command:
Ingress Rate Limiting Example:
# Rate Limiting Ingress HTTP Traffic
iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/second --limit-burst 150 -j ACCEPT
This command adds a rule to the INPUT chain of the firewall that applies to TCP traffic on port 80. The -m limit option tells iptables to use the rate limiting module, and the –limit 100/second option sets the maximum rate of incoming traffic to 100 packets per second. The –limit-burst 150 option sets the burst rate to 150 packets.
Common services that could be abused by a malicious attacker might be prone to Distributed Denial of Service (DDoS) attacks, which are often launched using User Datagram Protocol (UDP) based applications such as Network Time Protocol (NTP), Domain Name System (DNS), Simple Network Management Protocol (SNMP), and System Log (SYSLOG). For example, if a Linux server is configured with a DNS server at IP address 1.1.1.1, an attacker could potentially spoof that IP address and send a flood of fake DNS responses, resulting in a DNS-based DDoS attack on the server. This scenario could apply to any of the UDP services mentioned above.
# Rate Limiting Ingress DNS,SNMP,SYSLOG and NTP Traffic
iptables -A INPUT -p udp -m multiport --sport 53,123,161,514 -m limit --limit 100/second --limit-burst 150 -j ACCEPT
Should not we be concerned about the services which do not use the transport layer at all ? One of the most commonly used layer 3 protocol is icmp, this could be abused in variety of ways one of them could be ping flood attack another could be ping of death and possibilities are endless. Rate limiting ICMP is very important as ping floods are very easy to generate and we can not afford our server to stop serving the app that it is designed to and focus on replying millions of icmp echo requests that can lead to network throttling and resource exhaustions.
iptables -A INPUT -p icmp --icmp-type ping -m limit --limit 10/s -j ACCEPTYou can also use the same command to limit outgoing traffic, by changing the chain from INPUT to OUTPUT.
Egress Rate Limiting Example:
iptables -A OUTPUT -p tcp --dport 53 -m limit --limit 100/second --limit-burst 150 -j ACCEPT
It’s important to note that rate limiting can be applied to specific IP addresses or entire subnets, as well as specific ports.
In conclusion, iptables is a powerful tool that can be used to implement rate limiting on Linux-based systems. By using the limit and burst options, you can control the rate at which traffic is sent and received, helping to prevent network congestion and protect against malicious attacks.
we should also rate limit ftp,ssh,telnet,http and other tcp based applications.
Tip: iptables -m limit
This match is available only if your kernel has been configured with CONFIG_IP_NF_MATCH_LIMIT enabled. Mostly newer linux kernels are configured with this mod enabled.