after the recent outbreak of Welchia and winblaster, i was wondering of a way to block Flooding of pings or such activity...
My question is what u do to block such floods automaticaly per IP...what I mean.
Example I'm aware that I don't want to allow any concentrate IP host/address to send to me more than 3 icmp request per second.
The question is it possible with iptables rules to automaticly detect such HOSTs and ban it... currently i use "-m limit", but this
limits the total number of request... what I need is aproximatly this (perl pseudo code below):
for $ip (every IP that tries to ping) {
$count{$ip}++;
-j DROP if $count{$ip} > $limit;
}
mind u, it is not nececary to be icmp it can be something else..
In fact -m limit can do this if I have rules for all offending addresses.. but the problem is that i don't know them in advance i.e.
iptables has to do this classification for me...
any idea ?
tia
ps. afaik i think i saw something like this, but cant remember where...
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
