Re: Virus Attack & String Matching

[Rudi Starcevic <tech@wildcash.com>]

Hi Erik,

You can use mod_security, http://www.modsecurity.org/,
to match strings and drop packets for your Apache web server.

An option is to use Iptables for rate limiting and mod_security
for string matching and http deny.

This is my tatic, would be keen to hear of any better techniques.

HTH

Kind regards,
Rudi.

erikbaar@gmail.com wrote:

> Hello,
> 
> I've recently had to setup string matching to save a sever that was
> the subject of a virus DDOS attack, two of the domains on the server
> were recieving thousands of HTTP Get requests.  After setting up a
> limit rule to slow it down and patch the kernel, I setup a filter like
> this:
> 
> iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET
> /1.jpg" -j DROP
> iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET
> /get.php" -j DROP
> 
> Which dropped the traffic but caused Apache to generate 408 errors for
> every connection that was made.  First question, is there a better or
> alternate way to do this?  I've read people have recommended against
> string matching before but never found a good alternative.  Second, is
> there a way I can have IP tables on a match insert a DROP rule for the
> source IP address?  I wrote a script which did this based out of -j
> LOG output but would rather have it run everything automagically.
> 
> Regards,
> 
> Erik
> 
> 
> 


-- 

Regards,
Rudi.

Internet Media Productions