New NTP DDoS target hack

master
bbruns 2014-02-16 20:35:26 +00:00
parent 1c080183b1
commit 4a36db3579
4 changed files with 3 additions and 19 deletions

View File

@ -2,8 +2,6 @@
- Reorder rules, place allow before block to allow overrides
- Fixes for conntrack rules for better security (added -o/-i)
- Correct some incorrect info in options.default
- Add NTPDDOSRATELIMIT to IPV4_HACKS as a basic protection against being
used as a NTP DDoS source. Not well tested, use at own risk.
1.0 - Brielle Bruns <bruns@2mbit.com>
- Minor tweaks to various config files

View File

@ -203,8 +203,9 @@ if [ "$IPTABLES_MULTIPORT" ]; then
fi
# Trying to better clean up some of my code, so lets try using a blackhole target
$IPTABLES -N BLACKHOLE
$IPTABLES -A BLACKHOLE -j DROP
$IPTABLES -N BLACKHOLE-IN
$IPTABLES -N BLACKHOLE-OUT
$IPTABLES -A INPUT -i lo -j ACCEPT

View File

@ -160,17 +160,6 @@ function apply_ipv4_hack {
fi
done
;;
NTPDDOSRATELIMIT)
# Rate limit NTP DDOS UDP traffic using rules provided on the nanog list by
# pashdown@xmission.com
$IPTABLES -N NTP
$IPTABLES -I BLACKHOLE 1 -m recent --set --name ntpv4blackhole --rsource
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name \
ntpv4 --rsource -j BLACKHOLE
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name \
ntpv4blackhole --rsource -j DROP
$IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
esac
shift
done

View File

@ -150,10 +150,6 @@ DONTTRACK="127.0.0.1"
# I have things going through specific wires for a reason. This fixes
# that and makes it behave as expected.
#
# NTPDDOSRATELIMIT - Basic form of rate limiting/blocking on incoming NTP traffic
# that may cause local NTP server to be used in a DDoS attack.
# Not well tested yet, use at own risk.
#
#HACK_IPV4="NS-IN-DDOS"
# IP Ranges to block all traffic incoming/outgoing