New NTP DDoS target hack
parent
57cc769514
commit
a53a37914a
|
@ -202,6 +202,11 @@ if [ "$IPTABLES_MULTIPORT" ]; then
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Trying to better clean up some of my code, so lets try using a blackhole target
|
||||||
|
$IPTABLES -N BLACKHOLE
|
||||||
|
$IPTABLES -A BLACKHOLE -j DROP
|
||||||
|
|
||||||
|
|
||||||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||||
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
|
|
|
@ -159,6 +159,17 @@ function apply_ipv4_hack {
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
;;
|
;;
|
||||||
|
NTPDDOSRATELIMIT)
|
||||||
|
# Rate limit NTP DDOS UDP traffic using rules provided on the nanog list by
|
||||||
|
# pashdown@xmission.com
|
||||||
|
$IPTABLES -N NTP
|
||||||
|
$IPTABLES -I 1 BLACKHOLE -m recent --set --name ntpv4blackhole --rsource
|
||||||
|
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name \
|
||||||
|
ntpv4 --rsource -j BLACKHOLE
|
||||||
|
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name \
|
||||||
|
ntpv4blackhole --rsource -j DROP
|
||||||
|
$IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
|
||||||
|
$IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
|
||||||
esac
|
esac
|
||||||
shift
|
shift
|
||||||
done
|
done
|
||||||
|
|
Loading…
Reference in New Issue