Browse Source

New NTP DDoS target hack

bbruns 4 years ago
parent
commit
4a36db3579
4 changed files with 3 additions and 19 deletions
  1. 0
    2
      ChangeLog
  2. 3
    2
      bin/firewall-sosdg
  3. 0
    11
      include/functions
  4. 0
    4
      options.default

+ 0
- 2
ChangeLog View File

@@ -2,8 +2,6 @@
2 2
 	- Reorder rules, place allow before block to allow overrides
3 3
 	- Fixes for conntrack rules for better security (added -o/-i)
4 4
 	- Correct some incorrect info in options.default
5
-	- Add NTPDDOSRATELIMIT to IPV4_HACKS as a basic protection against being
6
-	  used as a NTP DDoS source.  Not well tested, use at own risk.
7 5
 
8 6
 1.0 - Brielle Bruns <bruns@2mbit.com>
9 7
 	- Minor tweaks to various config files

+ 3
- 2
bin/firewall-sosdg View File

@@ -203,8 +203,9 @@ if [ "$IPTABLES_MULTIPORT" ]; then
203 203
 fi
204 204
 
205 205
 # Trying to better clean up some of my code, so lets try using a blackhole target
206
-$IPTABLES -N BLACKHOLE
207
-$IPTABLES -A BLACKHOLE -j DROP
206
+$IPTABLES -N BLACKHOLE-IN
207
+$IPTABLES -N BLACKHOLE-OUT
208
+
208 209
 
209 210
 
210 211
 $IPTABLES -A INPUT -i lo -j ACCEPT

+ 0
- 11
include/functions View File

@@ -160,17 +160,6 @@ function apply_ipv4_hack {
160 160
 				fi
161 161
 			done
162 162
 		;;
163
-		NTPDDOSRATELIMIT)
164
-			# Rate limit NTP DDOS UDP traffic using rules provided on the nanog list by
165
-			# pashdown@xmission.com
166
-			$IPTABLES -N NTP
167
-			$IPTABLES -I BLACKHOLE 1 -m recent --set --name ntpv4blackhole --rsource
168
-			$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name \
169
-					ntpv4 --rsource -j BLACKHOLE
170
-			$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name \
171
-					ntpv4blackhole --rsource -j DROP
172
-			$IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
173
-			$IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
174 163
 		esac
175 164
 		shift
176 165
 	done

+ 0
- 4
options.default View File

@@ -150,10 +150,6 @@ DONTTRACK="127.0.0.1"
150 150
 #						I have things going through specific wires for a reason.  This fixes
151 151
 #						that and makes it behave as expected.
152 152
 #
153
-# NTPDDOSRATELIMIT   -  Basic form of rate limiting/blocking on incoming NTP traffic
154
-#						that may cause local NTP server to be used in a DDoS attack.
155
-#						Not well tested yet, use at own risk.
156
-#
157 153
 #HACK_IPV4="NS-IN-DDOS"
158 154
 
159 155
 # IP Ranges to block all traffic incoming/outgoing