Description

TODO:

research if adding any iptables ddos protection rules by default would make sense in context of Whonix
- improving ddos resistance
- not opening new privacy issues
- not opening new fingerprinting vectors
consider implementing them

Details

Impact: Normal

Related Objects

Mentioned In: T565: control-port-filter ddos test

Event Timeline

Patrick created this task.Nov 21 2014, 1:58 PM

Patrick raised the priority of this task from to Normal.

Patrick updated the task description. (Show Details)

Patrick added a project: whonix-gw-firewall.

Patrick added a subscriber: Patrick.

Patrick added a project: security.Nov 21 2014, 2:10 PM

Basic research I did: http://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf

some things like enabling tcp timestamps dont make sense from a privacy perspective so ignore them.

http://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf

Corresponding video:
https://www.youtube.com/watch?v=BklSqr9t4uA

Patrick added a project: Whonix.Nov 26 2014, 4:01 PM

Patrick added a project: iptables.Nov 26 2015, 9:22 PM

Patrick set Impact to Needs Triage.

Herald added a subscriber: • WhonixQubes. · View Herald TranscriptNov 26 2015, 9:22 PM

Apart from SYNPROXY there are more effective iptables rules for DDoS mitigation discussed here: https://javapipe.com/iptables-ddos-protection
Some of those should be added to whonix-gw-firewall as well imo.

Patrick updated the task description. (Show Details)Apr 20 2016, 3:15 PM

Patrick added projects: research, enhancement.

Patrick changed Impact from Needs Triage to Normal.

Patrick added a subscriber: marmarek.

Patrick mentioned this in T565: control-port-filter ddos test.Nov 12 2016, 6:37 PM

iptables ddos protectionOpen, NormalPublicActions

Description

Details

Related Objects

Event Timeline

iptables ddos protection
Open, NormalPublic
Actions