Today we were effectively subjected to a DDoS attack by a badly behaved client raiding one of our web servers. We decided to rate-limit HTTP connections, which turned out to be pleasantly simple.

I replaced our old iptables rule to allow HTTP connections:

-A INPUT -j ACCEPT -p tcp --dport    22

with 2 new rules:

-A INPUT -j ACCEPT -p tcp --dport    80 -s xxx.yyy.0.0/16 --syn -m connlimit ! --connlimit-above 20
-A INPUT -j ACCEPT -p tcp --dport    80                   --syn -m connlimit ! --connlimit-above 5 --connlimit-mask 24

The first rule allows any on-campus user to make 20 simultaneous connections. The second rule prevents external clients from making more than 5 at a time. They can make as many connections as they want in series, but if a web crawler attempts to open 6 connections without closing any, the 6th will time out. Slick!

Thanks to nixcraft for the details!