* Limit Virus Effects on Web Server @ 2005-01-05 14:44 Benjamin Bostow 2005-01-06 23:48 ` Jose Maria Lopez 0 siblings, 1 reply; 3+ messages in thread From: Benjamin Bostow @ 2005-01-05 14:44 UTC (permalink / raw) To: netfilter I have a gateway that directs all internal web traffic to my website. The site makes use of extensive DB calls. When someone with a virus that connects to port 80 plugs in behind the gateway the DB goes to 100% CPU usage. I am trying to limit this and try to filter out virus traffic from browser/user traffic. I was thinking I could use kinda the same rule as I have for preventing ping attacks but it doesn't seem to work. I have tried using "iptables -t nat -I PREROUTING 1 -p tcp -m tcp --dport 80 -m limit --limit 5/s --limit-burst 10 -j redirection_chain". It seems that all traffic no matter how great still goes to my webserver. Also, is there a way to drop packets over a certain amount per time from one user? Benjamin ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Limit Virus Effects on Web Server 2005-01-05 14:44 Limit Virus Effects on Web Server Benjamin Bostow @ 2005-01-06 23:48 ` Jose Maria Lopez 2005-01-07 9:47 ` ASHISH 0 siblings, 1 reply; 3+ messages in thread From: Jose Maria Lopez @ 2005-01-06 23:48 UTC (permalink / raw) To: netfilter@lists.netfilter.org El mié, 05 de 01 de 2005 a las 15:44, Benjamin Bostow escribió: > I have a gateway that directs all internal web traffic to my website. > The site makes use of extensive DB calls. When someone with a virus > that connects to port 80 plugs in behind the gateway the DB goes to > 100% CPU usage. I am trying to limit this and try to filter out virus > traffic from browser/user traffic. I was thinking I could use kinda the > same rule as I have for preventing ping attacks but it doesn't seem to > work. I have tried using "iptables -t nat -I PREROUTING 1 -p tcp -m tcp > --dport 80 -m limit --limit 5/s --limit-burst 10 -j redirection_chain". > It seems that all traffic no matter how great still goes to my > webserver. Also, is there a way to drop packets over a certain amount > per time from one user? > > Benjamin Maybe an IPS like snort with the bleeding-rules can be useful to drop some of this traffic. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@bgsec.com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road" ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Limit Virus Effects on Web Server 2005-01-06 23:48 ` Jose Maria Lopez @ 2005-01-07 9:47 ` ASHISH 0 siblings, 0 replies; 3+ messages in thread From: ASHISH @ 2005-01-07 9:47 UTC (permalink / raw) To: netfilter If you are aware of the Ip's from which viral traffic is bombarding requests, then you can tighten the limit match for those IP's. But if it is a DDos attack, then netfilter cannot do much. We are experimenting netfilter along with scripting over inhouse built algorithms. Like we analyse internet traffic periodically, and the scripts inserts and remove rules into netfilter generally once a day. On 07 Jan 2005 00:48:49 +0100, Jose Maria Lopez <jkerouac@bgsec.com> wrote: > El mié, 05 de 01 de 2005 a las 15:44, Benjamin Bostow escribió: > > I have a gateway that directs all internal web traffic to my website. > > The site makes use of extensive DB calls. When someone with a virus > > that connects to port 80 plugs in behind the gateway the DB goes to > > 100% CPU usage. I am trying to limit this and try to filter out virus > > traffic from browser/user traffic. I was thinking I could use kinda the > > same rule as I have for preventing ping attacks but it doesn't seem to > > work. I have tried using "iptables -t nat -I PREROUTING 1 -p tcp -m tcp > > --dport 80 -m limit --limit 5/s --limit-burst 10 -j redirection_chain". > > It seems that all traffic no matter how great still goes to my > > webserver. Also, is there a way to drop packets over a certain amount > > per time from one user? > > > > Benjamin > > Maybe an IPS like snort with the bleeding-rules can be useful to > drop some of this traffic. > > -- > Jose Maria Lopez Hernandez > Director Tecnico de bgSEC > jkerouac@bgsec.com > bgSEC Seguridad y Consultoria de Sistemas Informaticos > http://www.bgsec.com > ESPAÑA > > The only people for me are the mad ones -- the ones who are mad to live, > mad to talk, mad to be saved, desirous of everything at the same time, > the ones who never yawn or say a commonplace thing, but burn, burn, burn > like fabulous yellow Roman candles. > -- Jack Kerouac, "On the Road" > > -- cheers Ashish ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-01-07 9:47 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-01-05 14:44 Limit Virus Effects on Web Server Benjamin Bostow 2005-01-06 23:48 ` Jose Maria Lopez 2005-01-07 9:47 ` ASHISH
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.