* [LARTC] floods
@ 2003-09-12 13:36 raptor
0 siblings, 0 replies; only message in thread
From: raptor @ 2003-09-12 13:36 UTC (permalink / raw)
To: lartc
after the recent outbreak of Welchia and winblaster, i was wondering of a way to block Flooding of pings or such activity...
My question is what u do to block such floods automaticaly per IP...what I mean.
Example I'm aware that I don't want to allow any concentrate IP host/address to send to me more than 3 icmp request per second.
The question is it possible with iptables rules to automaticly detect such HOSTs and ban it... currently i use "-m limit", but this
limits the total number of request... what I need is aproximatly this (perl pseudo code below):
for $ip (every IP that tries to ping) {
$count{$ip}++;
-j DROP if $count{$ip} > $limit;
}
mind u, it is not nececary to be icmp it can be something else..
In fact -m limit can do this if I have rules for all offending addresses.. but the problem is that i don't know them in advance i.e.
iptables has to do this classification for me...
any idea ?
tia
ps. afaik i think i saw something like this, but cant remember where...
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-09-12 13:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-09-12 13:36 [LARTC] floods raptor
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.