Watched a DDoS attack for hours and couldn't do much :S

Taylor, Grant gtaylor at
Mon Nov 27 19:57:26 CET 2006

AntiProxy wrote:
> Actually, it's an external attack, apparently from a whole bunch of
> compromised machines..

Do you have any idea who initiated the attack and / or why?

> One thing i thought off, was to pipe tcpdump's output into a couple awks
> and seds and generate IPTABLE rules on the fly..

Something you might consider would be to look at either how the ULog daemon
works, or possibly NetLink (CONFIG_IP_NF_QUEUE) directly.  Either way, I
believe it would be possible to write a daemon that can have the kernel
communicate which packets it is seeing that are not already (explicitly)
processed by IPTables rules and then use a different method (NetFilter
APIs?) to dynamically update the firewall rule(s) on the fly.

I have no experience in this area, probably evident by using the wrong terms
/ names for the existing resources to communicate with the kernel.  However
I think there is at least a direction to go with this.  If you would like
help developing such, I'm willing to try to help.

Grant. . . .

More information about the netfilter mailing list