From a53a37914a898e91c5f4143f590cbe58b752abde Mon Sep 17 00:00:00 2001
From: bbruns <bbruns@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Sun, 16 Feb 2014 20:04:24 +0000
Subject: [PATCH] New NTP DDoS target hack

---
 bin/firewall-sosdg |  5 +++++
 include/functions  | 11 +++++++++++
 2 files changed, 16 insertions(+)

diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg
index 58f7c8c..25f486e 100755
--- a/bin/firewall-sosdg
+++ b/bin/firewall-sosdg
@@ -202,6 +202,11 @@ if [ "$IPTABLES_MULTIPORT" ]; then
 	  esac
 fi
 
+# Trying to better clean up some of my code, so lets try using a blackhole target
+$IPTABLES -N BLACKHOLE
+$IPTABLES -A BLACKHOLE -j DROP
+
+
 $IPTABLES -A INPUT -i lo -j ACCEPT
 $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
diff --git a/include/functions b/include/functions
index c78e170..d8323f6 100755
--- a/include/functions
+++ b/include/functions
@@ -159,6 +159,17 @@ function apply_ipv4_hack {
 				fi
 			done
 		;;
+		NTPDDOSRATELIMIT)
+			# Rate limit NTP DDOS UDP traffic using rules provided on the nanog list by
+			# pashdown@xmission.com
+			$IPTABLES -N NTP
+			$IPTABLES -I 1 BLACKHOLE -m recent --set --name ntpv4blackhole --rsource
+			$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name \
+					ntpv4 --rsource -j BLACKHOLE
+			$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name \
+					ntpv4blackhole --rsource -j DROP
+			$IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
+			$IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
 		esac
 		shift
 	done