Limit Virus Effects on Web Server

All of lore.kernel.org
 help / color / mirror / Atom feed

* Limit Virus Effects on Web Server
@ 2005-01-05 14:44 Benjamin Bostow
  2005-01-06 23:48 ` Jose Maria Lopez
  0 siblings, 1 reply; 3+ messages in thread
From: Benjamin Bostow @ 2005-01-05 14:44 UTC (permalink / raw)
  To: netfilter

I have a gateway that directs all internal web traffic to my website.
The site makes use of extensive DB calls. When someone with a virus
that connects to port 80 plugs in behind the gateway the DB goes to
100% CPU usage. I am trying to limit this and try to filter out virus
traffic from browser/user traffic. I was thinking I could use kinda the
same rule as I have for preventing ping attacks but it doesn't seem to
work. I have tried using "iptables -t nat -I PREROUTING 1 -p tcp -m tcp
--dport 80 -m limit --limit 5/s --limit-burst 10 -j redirection_chain". 
It seems that all traffic no matter how great still goes to my
webserver. Also, is there a way to drop packets over a certain amount
per time from one user?

Benjamin



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Limit Virus Effects on Web Server
  2005-01-05 14:44 Limit Virus Effects on Web Server Benjamin Bostow
@ 2005-01-06 23:48 ` Jose Maria Lopez
  2005-01-07  9:47   ` ASHISH
  0 siblings, 1 reply; 3+ messages in thread
From: Jose Maria Lopez @ 2005-01-06 23:48 UTC (permalink / raw)
  To: netfilter@lists.netfilter.org

El mié, 05 de 01 de 2005 a las 15:44, Benjamin Bostow escribió:
> I have a gateway that directs all internal web traffic to my website.
> The site makes use of extensive DB calls. When someone with a virus
> that connects to port 80 plugs in behind the gateway the DB goes to
> 100% CPU usage. I am trying to limit this and try to filter out virus
> traffic from browser/user traffic. I was thinking I could use kinda the
> same rule as I have for preventing ping attacks but it doesn't seem to
> work. I have tried using "iptables -t nat -I PREROUTING 1 -p tcp -m tcp
> --dport 80 -m limit --limit 5/s --limit-burst 10 -j redirection_chain". 
> It seems that all traffic no matter how great still goes to my
> webserver. Also, is there a way to drop packets over a certain amount
> per time from one user?
> 
> Benjamin

Maybe an IPS like snort with the bleeding-rules can be useful to
drop some of this traffic.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Limit Virus Effects on Web Server
  2005-01-06 23:48 ` Jose Maria Lopez
@ 2005-01-07  9:47   ` ASHISH
  0 siblings, 0 replies; 3+ messages in thread
From: ASHISH @ 2005-01-07  9:47 UTC (permalink / raw)
  To: netfilter

If you are aware of the Ip's from which viral traffic is bombarding
requests, then you can tighten the limit match for those IP's. But if
it is a DDos attack, then netfilter cannot do much.

We are experimenting netfilter along with scripting over inhouse built
algorithms. Like we analyse internet traffic periodically, and the
scripts inserts and remove rules into netfilter generally once a day.

On 07 Jan 2005 00:48:49 +0100, Jose Maria Lopez <jkerouac@bgsec.com> wrote:
> El mié, 05 de 01 de 2005 a las 15:44, Benjamin Bostow escribió:
> > I have a gateway that directs all internal web traffic to my website.
> > The site makes use of extensive DB calls. When someone with a virus
> > that connects to port 80 plugs in behind the gateway the DB goes to
> > 100% CPU usage. I am trying to limit this and try to filter out virus
> > traffic from browser/user traffic. I was thinking I could use kinda the
> > same rule as I have for preventing ping attacks but it doesn't seem to
> > work. I have tried using "iptables -t nat -I PREROUTING 1 -p tcp -m tcp
> > --dport 80 -m limit --limit 5/s --limit-burst 10 -j redirection_chain".
> > It seems that all traffic no matter how great still goes to my
> > webserver. Also, is there a way to drop packets over a certain amount
> > per time from one user?
> >
> > Benjamin
> 
> Maybe an IPS like snort with the bleeding-rules can be useful to
> drop some of this traffic.
> 
> --
> Jose Maria Lopez Hernandez
> Director Tecnico de bgSEC
> jkerouac@bgsec.com
> bgSEC Seguridad y Consultoria de Sistemas Informaticos
> http://www.bgsec.com
> ESPAÑA
> 
> The only people for me are the mad ones -- the ones who are mad to live,
> mad to talk, mad to be saved, desirous of everything at the same time,
> the ones who never yawn or say a commonplace thing, but burn, burn, burn
> like fabulous yellow Roman candles.
>                 -- Jack Kerouac, "On the Road"
> 
> 


-- 
cheers
Ashish


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2005-01-07  9:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-05 14:44 Limit Virus Effects on Web Server Benjamin Bostow
2005-01-06 23:48 ` Jose Maria Lopez
2005-01-07  9:47   ` ASHISH

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.