vampire.m4: Log messages when rejecting DNS DDOS packets.

author Mark Wooding <mdw@distorted.org.uk>

Thu, 23 Jul 2009 11:24:08 +0000 (12:24 +0100)

committer Mark Wooding <mdw@distorted.org.uk>

Thu, 23 Jul 2009 11:24:08 +0000 (12:24 +0100)
author Mark Wooding <mdw@distorted.org.uk>
Thu, 23 Jul 2009 11:24:08 +0000 (12:24 +0100)
committer Mark Wooding <mdw@distorted.org.uk>
Thu, 23 Jul 2009 11:24:08 +0000 (12:24 +0100)
diff --git a/vampire.m4 b/vampire.m4

index 3a389caec2d4d0d575f89a2f5fc79c3658bd39b5..05a3293123077b969b9cd48ed8c3ee22d33f495c 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -36,10 +36,15 @@ m4_divert(-1)
  ###--------------------------------------------------------------------------
  ### vampire-specific rules.
  
  ###--------------------------------------------------------------------------
  ### vampire-specific rules.
  
+m4_divert(35)m4_dnl
+errorchain ddos-evil-dns DROP
+## Invalid DNS request with probably-forged sender address, with intent to
+## cause DDOS.
+
  m4_divert(82)m4_dnl
  ## Repelling evil DDos attack.
  run ipset -N ddos-evil-dns iphash 2>/dev/null || :
  m4_divert(82)m4_dnl
  ## Repelling evil DDos attack.
  run ipset -N ddos-evil-dns iphash 2>/dev/null || :
-run iptables -A inbound -j DROP \
+run iptables -A inbound -g ddos-evil-dns \
         -m set --set ddos-evil-dns src \
         -p udp --destination-port $port_dns
  
         -m set --set ddos-evil-dns src \
         -p udp --destination-port $port_dns
author	Mark Wooding <mdw@distorted.org.uk>
	Thu, 23 Jul 2009 11:24:08 +0000 (12:24 +0100)
committer	Mark Wooding <mdw@distorted.org.uk>
	Thu, 23 Jul 2009 11:24:08 +0000 (12:24 +0100)