Efficient DDoS protection under GNU/Linux

What is ipset?

Quoting the official website: "an IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set."

I already have iptables. Why should i use ipset?

In case you have a number of growing rules in your iptables , this will lead to a severe performance drop. Specifically,if you have more than a thousand rules in your iptables, you should start worrying about this.

Inner workings

The inner workings of ipset are irrelevant. Or is it ? We'll delve into that soon enough :)

Did you say Bogons ? 

Simply put, a bogon is a bogus IP address in a computer network. Many unethical crackers use bogons to direct massive DDOS attacks on servers. Those non-legitimate IPs marked as living in oblivion need to be filtered to prevent possible attacks.

 For our demonstration in the usage of ipset, I will show you how to filter bogons using a simple 'quick and dirty' shell script.

bogonblock.sh


#Author: C.Velvindron / codarren@hackers.mu
#Shellscript to filter bogons using ipset
#!/bin/sh
iptables -F
ipset destroy
ipset -N bogonblock nethash
for IP in $(wget -O - http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt)
do
ipset -A bogonblock $IP
done
iptables -A INPUT -m set --match-set bogonblock src -j DROP


Sample output of ipset -list
193.223.72.0/22
194.39.224.0/20
195.238.78.0/23
168.121.0.0/16
193.41.154.0/23
193.202.76.0/24
194.15.32.0/19
194.48.242.0/24
194.104.16.0/21
194.113.164.0/24
195.216.208.0/23
91.206.92.0/23
193.31.62.0/24
193.56.190.0/24
194.5.232.0/23
194.40.236.0/22
194.55.96.0/22
194.124.252.0/24
91.232.129.0/24
193.201.208.0/22
193.8.208.0/22
193.105.28.0/24
195.234.82.0/23