New NTP DDoS target hack

master
bbruns 2014-02-16 20:17:45 +00:00
parent 2abb2bfdd3
commit 1c080183b1
3 changed files with 7 additions and 5 deletions

View File

@ -2,6 +2,8 @@
- Reorder rules, place allow before block to allow overrides
- Fixes for conntrack rules for better security (added -o/-i)
- Correct some incorrect info in options.default
- Add NTPDDOSRATELIMIT to IPV4_HACKS as a basic protection against being
used as a NTP DDoS source. Not well tested, use at own risk.
1.0 - Brielle Bruns <bruns@2mbit.com>
- Minor tweaks to various config files

View File

@ -92,10 +92,6 @@ function iptables_rules_flush {
$VER_IPTABLES -F -t $i &>/dev/null
done
$VER_IPTABLES -X
$VER_IPTABLES -t nat -F
$VER_IPTABLES -t nat -X
$VER_IPTABLES -t mangle -F
$VER_IPTABLES -t mangle -X
#if [ $NAT ] && [ $IP_VERSION == "ipv4" ]; then
# $VER_IPTABLES -F -t nat &>/dev/null
#fi

View File

@ -150,7 +150,11 @@ DONTTRACK="127.0.0.1"
# I have things going through specific wires for a reason. This fixes
# that and makes it behave as expected.
#
HACK_IPV4="NS-IN-DDOS"
# NTPDDOSRATELIMIT - Basic form of rate limiting/blocking on incoming NTP traffic
# that may cause local NTP server to be used in a DDoS attack.
# Not well tested yet, use at own risk.
#
#HACK_IPV4="NS-IN-DDOS"
# IP Ranges to block all traffic incoming/outgoing
# New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS