A vps hosting a service I maintain came under a DOS attack today. The malicious client was opening as many tcp connections as they could. And eventually the service would hit the ulimit of open file descriptors and fail. Of course the service should be more resilient, but this iptables rule solved the problem right away.

It will block an individual IPv4 address from opening any more than 25 connections to the service port. It does so by sending a TCP reset when the the client exceeds 25 connections.

# port of local service being DOSd
service_port=22550

# connection limit for a given IP
conn_limit=25

sudo iptables -A INPUT -p tcp --syn --dport $service_port -m connlimit \
--connlimit-above $conn_limit -j REJECT --reject-with tcp-reset

I don’t claim this is a magic bullet for system hardening or DDOS mitigation, but it solved my problem.