From a53a37914a898e91c5f4143f590cbe58b752abde Mon Sep 17 00:00:00 2001 From: bbruns Date: Sun, 16 Feb 2014 20:04:24 +0000 Subject: [PATCH] New NTP DDoS target hack --- bin/firewall-sosdg | 5 +++++ include/functions | 11 +++++++++++ 2 files changed, 16 insertions(+) diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 58f7c8c..25f486e 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -202,6 +202,11 @@ if [ "$IPTABLES_MULTIPORT" ]; then esac fi +# Trying to better clean up some of my code, so lets try using a blackhole target +$IPTABLES -N BLACKHOLE +$IPTABLES -A BLACKHOLE -j DROP + + $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT diff --git a/include/functions b/include/functions index c78e170..d8323f6 100755 --- a/include/functions +++ b/include/functions @@ -159,6 +159,17 @@ function apply_ipv4_hack { fi done ;; + NTPDDOSRATELIMIT) + # Rate limit NTP DDOS UDP traffic using rules provided on the nanog list by + # pashdown@xmission.com + $IPTABLES -N NTP + $IPTABLES -I 1 BLACKHOLE -m recent --set --name ntpv4blackhole --rsource + $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name \ + ntpv4 --rsource -j BLACKHOLE + $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name \ + ntpv4blackhole --rsource -j DROP + $IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT + $IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP esac shift done