Watched a DDoS attack for hours and couldn't do much :S
gtaylor at riverviewtech.net
Mon Nov 27 19:57:26 CET 2006
> Actually, it's an external attack, apparently from a whole bunch of
> compromised machines..
Do you have any idea who initiated the attack and / or why?
> One thing i thought off, was to pipe tcpdump's output into a couple awks
> and seds and generate IPTABLE rules on the fly..
Something you might consider would be to look at either how the ULog daemon
works, or possibly NetLink (CONFIG_IP_NF_QUEUE) directly. Either way, I
believe it would be possible to write a daemon that can have the kernel
communicate which packets it is seeing that are not already (explicitly)
processed by IPTables rules and then use a different method (NetFilter
APIs?) to dynamically update the firewall rule(s) on the fly.
I have no experience in this area, probably evident by using the wrong terms
/ names for the existing resources to communicate with the kernel. However
I think there is at least a direction to go with this. If you would like
help developing such, I'm willing to try to help.
Grant. . . .
More information about the netfilter