Page MenuHomePhabricator

iptables ddos protection
Open, NormalPublic

Description

TODO:

  • research if adding any iptables ddos protection rules by default would make sense in context of Whonix
    • improving ddos resistance
    • not opening new privacy issues
    • not opening new fingerprinting vectors
  • consider implementing them

Details

Impact
Normal

Related Objects

Event Timeline

Patrick created this task.Nov 21 2014, 2:58 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added a project: whonix-gw-firewall.
Patrick added a subscriber: Patrick.

Basic research I did: http://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf

some things like enabling tcp timestamps dont make sense from a privacy perspective so ignore them.

Patrick set Impact to Needs Triage.

Apart from SYNPROXY there are more effective iptables rules for DDoS mitigation discussed here: https://javapipe.com/iptables-ddos-protection
Some of those should be added to whonix-gw-firewall as well imo.

Patrick updated the task description. (Show Details)Apr 20 2016, 5:15 PM
Patrick added projects: research, enhancement.
Patrick changed Impact from Needs Triage to Normal.
Patrick added a subscriber: marmarek.