Am 2013-11-05 04:54, schrieb Justin:
down to port 123 and ports above 1024 for people behind a nat. I was
also going to place iptables rate limit. Is there anything else I
I got the following rules on my server. As NTP should only reply to the
source address it should prevent some DDOS:
:ntp - [0:0]
:ntpblackhole - [0:0]
-A INPUT -p udp -m udp --dport 123 -j ntp
-A ntp -m recent --update --seconds 5 --hitcount 2 --name ntpv4blackhole
--rsource -j DROP
-A ntp -m recent --update --seconds 5 --hitcount 25 --name ntpv4
--rsource -j ntpblackhole
-A ntp -m recent --set --name ntpv4 --rsource -j ACCEPT
-A ntpblackhole -m recent --set --name ntpv4blackhole --rsource
-A ntpblackhole -j DROP
Basically what they say is:
- More than 25 packets in 5 seconds? -> Add to temporary blacklist
- Remove system from blacklist if there are less than two packets in 5
seconds
One important point about the xt_recent module:
By default it only keeps 256 IPs in the lists and the oldest ones are
dropped out automatically. If you got a system where that limit is
reached easily, you should add something like this to /etc/modules:
xt_recent ip_list_tot=16384
For me, this has caught 307 IPs within the last 10 days.
Regards,
Daniel
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
