this

What this does

What this doesn't do

Lets get started!

Magiobiwan said:



Code: wget http://darkrai.unovarpgnet.net/antintp.sh -O - | bash I modified Mun's script slightly to make it also edit /etc/rc.local. The new script version can be found at...No HTTPS for it; my server in SEA doesn't have a cert. You could download over HTTPS I suppose, it'd just complain it's invalid. Click to expand...

Hello everyone,Normally I'm not one to share stallion code, but after a discussion with a couple staffers we came to the conclusion that the following work must be made public for the 'greater good' and all that righteous crap.The following blocks NTPpackets at the(or router level if you're using a linux based setup), before they ever get to your customers. This means that it provides preemptive filtering, instead of after-the-fact-oh-god-my-bandwidth-bills. Stopping NTP amplification floods before the user gets them was the only way for us morally address users from being used in NTP floods be it now or later on.This doespatch the users configuration files by any means. This is entirely node side done with iptables. You should still make it an effort to inform your customers about the dangers of using a bad version of NTP.First, you must add the following entry to your. This makes it so all packets sent over a bridge (for XEN & KVM based VM's) are also filtered.net.bridge.bridge-nf-call-iptables = 1Once this is done, apply the changessysctl -pThe following rule is what does all the magic. You'll want to put this in /etc/rc.local above theso it gets applied on reboot. You should also look at usingas well.iptables -I FORWARD -p udp --dport 123 -m u32 --u32 "0x1C=0x1700032a && 0x20=0x00000000" -m comment --comment "NTP amplification packets" -j DROPYou can change the chain fromtoin the off chance that you want to use this inside a VPS or something like that. It'd be smarter to simply ACL monlist or upgrade your version, but to each their own.You should feel no performance impact from this rule being in place. Your node will still be smacked with the packets, but nothing will be sent out.For obvious reasons, I won't be talking to Phill about including this in his node side SolusVM code, but if someone wishes to point him this way, they have my permission to include this.For the greater good,FranciscoYour friendly neighborhood hairyman