Przeglądaj źródła

New NTP DDoS target hack

tags/v1.1
bbruns 6 lat temu
rodzic
commit
4a36db3579
4 zmienionych plików z 3 dodań i 19 usunięć
  1. +0
    -2
      ChangeLog
  2. +3
    -2
      bin/firewall-sosdg
  3. +0
    -11
      include/functions
  4. +0
    -4
      options.default

+ 0
- 2
ChangeLog Wyświetl plik

@@ -2,8 +2,6 @@
- Reorder rules, place allow before block to allow overrides
- Fixes for conntrack rules for better security (added -o/-i)
- Correct some incorrect info in options.default
- Add NTPDDOSRATELIMIT to IPV4_HACKS as a basic protection against being
used as a NTP DDoS source. Not well tested, use at own risk.

1.0 - Brielle Bruns <bruns@2mbit.com>
- Minor tweaks to various config files


+ 3
- 2
bin/firewall-sosdg Wyświetl plik

@@ -203,8 +203,9 @@ if [ "$IPTABLES_MULTIPORT" ]; then
fi

# Trying to better clean up some of my code, so lets try using a blackhole target
$IPTABLES -N BLACKHOLE
$IPTABLES -A BLACKHOLE -j DROP
$IPTABLES -N BLACKHOLE-IN
$IPTABLES -N BLACKHOLE-OUT



$IPTABLES -A INPUT -i lo -j ACCEPT


+ 0
- 11
include/functions Wyświetl plik

@@ -160,17 +160,6 @@ function apply_ipv4_hack {
fi
done
;;
NTPDDOSRATELIMIT)
# Rate limit NTP DDOS UDP traffic using rules provided on the nanog list by
# pashdown@xmission.com
$IPTABLES -N NTP
$IPTABLES -I BLACKHOLE 1 -m recent --set --name ntpv4blackhole --rsource
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name \
ntpv4 --rsource -j BLACKHOLE
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name \
ntpv4blackhole --rsource -j DROP
$IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
esac
shift
done


+ 0
- 4
options.default Wyświetl plik

@@ -150,10 +150,6 @@ DONTTRACK="127.0.0.1"
# I have things going through specific wires for a reason. This fixes
# that and makes it behave as expected.
#
# NTPDDOSRATELIMIT - Basic form of rate limiting/blocking on incoming NTP traffic
# that may cause local NTP server to be used in a DDoS attack.
# Not well tested yet, use at own risk.
#
#HACK_IPV4="NS-IN-DDOS"

# IP Ranges to block all traffic incoming/outgoing


Ładowanie…
Anuluj
Zapisz