New NTP DDoS target hack

master
bbruns 9 years ago
parent 57cc769514
commit a53a37914a
  1. 5
      bin/firewall-sosdg
  2. 11
      include/functions

@ -202,6 +202,11 @@ if [ "$IPTABLES_MULTIPORT" ]; then
esac
fi
# Trying to better clean up some of my code, so lets try using a blackhole target
$IPTABLES -N BLACKHOLE
$IPTABLES -A BLACKHOLE -j DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

@ -159,6 +159,17 @@ function apply_ipv4_hack {
fi
done
;;
NTPDDOSRATELIMIT)
# Rate limit NTP DDOS UDP traffic using rules provided on the nanog list by
# pashdown@xmission.com
$IPTABLES -N NTP
$IPTABLES -I 1 BLACKHOLE -m recent --set --name ntpv4blackhole --rsource
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name \
ntpv4 --rsource -j BLACKHOLE
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name \
ntpv4blackhole --rsource -j DROP
$IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
esac
shift
done

Loading…
Cancel
Save