AntiProxy wrote:
Actually, it's an external attack, apparently from a whole bunch of compromised machines..
Do you have any idea who initiated the attack and / or why?
One thing i thought off, was to pipe tcpdump's output into a couple awks and seds and generate IPTABLE rules on the fly..
Something you might consider would be to look at either how the ULog daemon works, or possibly NetLink (CONFIG_IP_NF_QUEUE) directly. Either way, I believe it would be possible to write a daemon that can have the kernel communicate which packets it is seeing that are not already (explicitly) processed by IPTables rules and then use a different method (NetFilter APIs?) to dynamically update the firewall rule(s) on the fly. I have no experience in this area, probably evident by using the wrong terms / names for the existing resources to communicate with the kernel. However I think there is at least a direction to go with this. If you would like help developing such, I'm willing to try to help. Grant. . . .
