after the recent outbreak of Welchia and winblaster, i was wondering of a way to block 
Flooding of pings or such activity...
My question is what u do to block such floods automaticaly per IP...what I mean.
Example I'm aware that I don't want to allow any concentrate IP host/address to send 
to me more than 3 icmp request per second.
The question is it possible with iptables rules to automaticly detect such HOSTs and 
ban it... currently i use  "-m limit", but this
limits the total number of request... what I need is aproximatly this (perl pseudo 
code below):

for $ip (every IP that tries to ping) {
  $count{$ip}++;
  -j DROP if $count{$ip} > $limit;
}

mind u, it is not nececary to be icmp it can be something else..
In fact -m limit can do this if I have rules for all offending addresses.. but the 
problem is that i don't know them in advance i.e.
iptables has to do this classification for me...


any idea ?
tia

ps. afaik i think i saw something like this, but cant remember where...
_______________________________________________
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Reply via email to