after the recent outbreak of Welchia and winblaster, i was wondering of a way to
block Flooding of pings or such activity...
My question is what u do to block such floods automaticaly per IP...what I mean.
Example I''m aware that I don''t want to allow any concentrate
IP host/address to send to me more than 3 icmp request per second.
The question is it possible with iptables rules to automaticly detect such HOSTs
and ban it... currently i use "-m limit", but this
limits the total number of request... what I need is aproximatly this (perl
pseudo code below):
for $ip (every IP that tries to ping) {
$count{$ip}++;
-j DROP if $count{$ip} > $limit;
}
mind u, it is not nececary to be icmp it can be something else..
In fact -m limit can do this if I have rules for all offending addresses.. but
the problem is that i don''t know them in advance i.e.
iptables has to do this classification for me...
any idea ?
tia
ps. afaik i think i saw something like this, but cant remember where...
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/