Browse Source

New NTP DDoS target hack

tags/v1.1
bbruns 6 years ago
parent
commit
1c080183b1
3 changed files with 7 additions and 5 deletions
  1. +2
    -0
      ChangeLog
  2. +0
    -4
      include/functions
  3. +5
    -1
      options.default

+ 2
- 0
ChangeLog View File

@@ -2,6 +2,8 @@
- Reorder rules, place allow before block to allow overrides
- Fixes for conntrack rules for better security (added -o/-i)
- Correct some incorrect info in options.default
- Add NTPDDOSRATELIMIT to IPV4_HACKS as a basic protection against being
used as a NTP DDoS source. Not well tested, use at own risk.

1.0 - Brielle Bruns <bruns@2mbit.com>
- Minor tweaks to various config files


+ 0
- 4
include/functions View File

@@ -92,10 +92,6 @@ function iptables_rules_flush {
$VER_IPTABLES -F -t $i &>/dev/null
done
$VER_IPTABLES -X
$VER_IPTABLES -t nat -F
$VER_IPTABLES -t nat -X
$VER_IPTABLES -t mangle -F
$VER_IPTABLES -t mangle -X
#if [ $NAT ] && [ $IP_VERSION == "ipv4" ]; then
# $VER_IPTABLES -F -t nat &>/dev/null
#fi


+ 5
- 1
options.default View File

@@ -150,7 +150,11 @@ DONTTRACK="127.0.0.1"
# I have things going through specific wires for a reason. This fixes
# that and makes it behave as expected.
#
HACK_IPV4="NS-IN-DDOS"
# NTPDDOSRATELIMIT - Basic form of rate limiting/blocking on incoming NTP traffic
# that may cause local NTP server to be used in a DDoS attack.
# Not well tested yet, use at own risk.
#
#HACK_IPV4="NS-IN-DDOS"

# IP Ranges to block all traffic incoming/outgoing
# New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS


Loading…
Cancel
Save