New NTP DDoS target hack

master
bbruns 2014-02-16 20:04:24 +00:00
parent 57cc769514
commit a53a37914a
2 changed files with 16 additions and 0 deletions

View File

@ -202,6 +202,11 @@ if [ "$IPTABLES_MULTIPORT" ]; then
esac esac
fi fi
# Trying to better clean up some of my code, so lets try using a blackhole target
$IPTABLES -N BLACKHOLE
$IPTABLES -A BLACKHOLE -j DROP
$IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT

View File

@ -159,6 +159,17 @@ function apply_ipv4_hack {
fi fi
done done
;; ;;
NTPDDOSRATELIMIT)
# Rate limit NTP DDOS UDP traffic using rules provided on the nanog list by
# pashdown@xmission.com
$IPTABLES -N NTP
$IPTABLES -I 1 BLACKHOLE -m recent --set --name ntpv4blackhole --rsource
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name \
ntpv4 --rsource -j BLACKHOLE
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name \
ntpv4blackhole --rsource -j DROP
$IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
esac esac
shift shift
done done