how to block packets with specific words inside udp datagram???

Linux Netfilter discussions
 help / color / mirror / Atom feed

* how to block packets with specific words inside udp datagram???
@ 2003-10-12 15:35 Piotr P.
  2003-10-12 16:19 ` Cedric Blancher
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Piotr P. @ 2003-10-12 15:35 UTC (permalink / raw)
  To: netfilter

Does anybody know how to block kaza with iptables ?

    Kazza jump over ports, and hosts (if yopu block destinations to
kazza.com, rr1.kazza.com & rr2.kazza.com kazza uses ip's of other users that
was cached during last downloading anything from anyone). The key is, kazza
use tah same word "KaZaA" inside an uupd datagram. Does any body know how to
block traffic with this word using iptables?
Below is the sample dump:

a sample dump using udp to communicate with the other users from its
internal table and take note of different port  numbers used because these
are the ports that had been previously connected...

11:03:23.343988 IP fooler.ilo.skyinet.net.1962 >
cable-202-8-230-222.d-one.net.2911: udp 12
0x0000  4500 0028 a377 0000 8011 a5d5 ca4e 7642 E..(.w.......NvB
0x0010  ca08 e6de 07aa 0b5f 0014 c401 2700 0000 ......._....'...
0x0020  2980 4b61 5a61 4100                     ).KaZaA.

11:03:23.344282 IP fooler.ilo.skyinet.net.1962 > 202.8.251.31.1278: udp 12
0x0000  4500 0028 a378 0000 8011 9193 ca4e 7642 E..(.x.......NvB
0x0010  ca08 fb1f 07aa 04fe 0014 b621 2700 0000 ...........!'...
0x0020  2980 4b61 5a61 4100                     ).KaZaA.

11:03:23.344524 IP fooler.ilo.skyinet.net.1962 > 202.163.194.3.2844: udp 12
0x0000  4500 0028 a379 0000 8011 ca13 ca4e 7642 E..(.y.......NvB
0x0010  caa3 c203 07aa 0b1c 0014 e884 2700 0000 ............'...
0x0020  2980 4b61 5a61 4100                     ).KaZaA.

11:03:23.344762 IP fooler.ilo.skyinet.net.1962 > 202.69.170.153.3377: udp 12
0x0000  4500 0028 a37a 0000 8011 e1da ca4e 7642 E..(.z.......NvB
0x0010  ca45 aa99 07aa 0d31 0014 fe37 2700 0000 .E.....1...7'...
0x0020  2980 4b61 5a61 4100                     ).KaZaA.




best regards,
PeterP

gadu-gadu: 818854
        e-mail: peterp@poczta.onet.pl
         www:  http://republika.pl/peterp
            cell:  (++48) 606 675 729  (Mon - Fri, 8am-16pm ONLY!)
           ICQ: 217990807

-----------------------------------------------------------------------
-----              Zapraszam na moje aukcje internetowe
  -----
-----         Lista auktualnych aukcji, zawsze pod adresem:            -----
----- http://www.allegro.pl/show_user_auctions.php?uid=11609  -----
-----------------------------------------------------------------------



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: how to block packets with specific words inside udp datagram???
  2003-10-12 15:35 how to block packets with specific words inside udp datagram??? Piotr P.
@ 2003-10-12 16:19 ` Cedric Blancher
  2003-10-12 17:50 ` Chris Brenton
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Cedric Blancher @ 2003-10-12 16:19 UTC (permalink / raw)
  To: Piotr P.; +Cc: netfilter

Le dim 12/10/2003 à 17:35, Piotr P. a écrit :
>     Kazza jump over ports, and hosts (if yopu block destinations to
> kazza.com, rr1.kazza.com & rr2.kazza.com kazza uses ip's of other users that
> was cached during last downloading anything from anyone). The key is, kazza
> use tah same word "KaZaA" inside an uupd datagram. Does any body know how to
> block traffic with this word using iptables?

You should have a look to string match that is available in
patch-o-matic. It will allow you to match an arbitrary string within
packet payload.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: how to block packets with specific words inside udp datagram???
  2003-10-12 15:35 how to block packets with specific words inside udp datagram??? Piotr P.
  2003-10-12 16:19 ` Cedric Blancher
@ 2003-10-12 17:50 ` Chris Brenton
  2003-10-12 18:59 ` Mark E. Donaldson
  2003-10-13  9:04 ` hare ram
  3 siblings, 0 replies; 5+ messages in thread
From: Chris Brenton @ 2003-10-12 17:50 UTC (permalink / raw)
  To: Piotr P.; +Cc: netfilter

On Sun, 2003-10-12 at 11:35, Piotr P. wrote:
>
> Does any body know how to
> block traffic with this word using iptables?

iptables –A FORWARD –p udp –d 0/0 --dport 1024:65535 –m string --string
"KaZaA" –j DROP

should do the trick.

HTH,
C




^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: how to block packets with specific words inside udp datagram???
  2003-10-12 15:35 how to block packets with specific words inside udp datagram??? Piotr P.
  2003-10-12 16:19 ` Cedric Blancher
  2003-10-12 17:50 ` Chris Brenton
@ 2003-10-12 18:59 ` Mark E. Donaldson
  2003-10-13  9:04 ` hare ram
  3 siblings, 0 replies; 5+ messages in thread
From: Mark E. Donaldson @ 2003-10-12 18:59 UTC (permalink / raw)
  To: Piotr P., netfilter

It's not easy to block.  Take a look at http://www.lowth.com/p2pwall/.  This
will help you immensely.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Piotr P.
Sent: Sunday, October 12, 2003 8:35 AM
To: netfilter@lists.netfilter.org
Subject: how to block packets with specific words inside udp datagram???


Does anybody know how to block kaza with iptables ?

    Kazza jump over ports, and hosts (if yopu block destinations to
kazza.com, rr1.kazza.com & rr2.kazza.com kazza uses ip's of other users that
was cached during last downloading anything from anyone). The key is, kazza
use tah same word "KaZaA" inside an uupd datagram. Does any body know how to
block traffic with this word using iptables?
Below is the sample dump:

a sample dump using udp to communicate with the other users from its
internal table and take note of different port  numbers used because these
are the ports that had been previously connected...

11:03:23.343988 IP fooler.ilo.skyinet.net.1962 >
cable-202-8-230-222.d-one.net.2911: udp 12
0x0000  4500 0028 a377 0000 8011 a5d5 ca4e 7642 E..(.w.......NvB
0x0010  ca08 e6de 07aa 0b5f 0014 c401 2700 0000 ......._....'...
0x0020  2980 4b61 5a61 4100                     ).KaZaA.

11:03:23.344282 IP fooler.ilo.skyinet.net.1962 > 202.8.251.31.1278: udp 12
0x0000  4500 0028 a378 0000 8011 9193 ca4e 7642 E..(.x.......NvB
0x0010  ca08 fb1f 07aa 04fe 0014 b621 2700 0000 ...........!'...
0x0020  2980 4b61 5a61 4100                     ).KaZaA.

11:03:23.344524 IP fooler.ilo.skyinet.net.1962 > 202.163.194.3.2844: udp 12
0x0000  4500 0028 a379 0000 8011 ca13 ca4e 7642 E..(.y.......NvB
0x0010  caa3 c203 07aa 0b1c 0014 e884 2700 0000 ............'...
0x0020  2980 4b61 5a61 4100                     ).KaZaA.

11:03:23.344762 IP fooler.ilo.skyinet.net.1962 > 202.69.170.153.3377: udp 12
0x0000  4500 0028 a37a 0000 8011 e1da ca4e 7642 E..(.z.......NvB
0x0010  ca45 aa99 07aa 0d31 0014 fe37 2700 0000 .E.....1...7'...
0x0020  2980 4b61 5a61 4100                     ).KaZaA.




best regards,
PeterP

gadu-gadu: 818854
        e-mail: peterp@poczta.onet.pl
         www:  http://republika.pl/peterp
            cell:  (++48) 606 675 729  (Mon - Fri, 8am-16pm ONLY!)
           ICQ: 217990807

-----------------------------------------------------------------------
-----              Zapraszam na moje aukcje internetowe
  -----
-----         Lista auktualnych aukcji, zawsze pod adresem:            -----
----- http://www.allegro.pl/show_user_auctions.php?uid=11609  -----
-----------------------------------------------------------------------





^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: how to block packets with specific words inside udp datagram???
  2003-10-12 15:35 how to block packets with specific words inside udp datagram??? Piotr P.
                   ` (2 preceding siblings ...)
  2003-10-12 18:59 ` Mark E. Donaldson
@ 2003-10-13  9:04 ` hare ram
  3 siblings, 0 replies; 5+ messages in thread
From: hare ram @ 2003-10-13  9:04 UTC (permalink / raw)
  To: netfilter

Hi

String is Pay load for the system
I have tried l7-filter
works well, look at this

l7-filter.sf.net

hare
----- Original Message ----- 
From: "Piotr P." <peterp@poczta.onet.pl>
To: <netfilter@lists.netfilter.org>
Sent: Sunday, October 12, 2003 9:05 PM
Subject: how to block packets with specific words inside udp datagram???


> Does anybody know how to block kaza with iptables ?
>
>     Kazza jump over ports, and hosts (if yopu block destinations to
> kazza.com, rr1.kazza.com & rr2.kazza.com kazza uses ip's of other users
that
> was cached during last downloading anything from anyone). The key is,
kazza
> use tah same word "KaZaA" inside an uupd datagram. Does any body know how
to
> block traffic with this word using iptables?
> Below is the sample dump:
>
> a sample dump using udp to communicate with the other users from its
> internal table and take note of different port  numbers used because these
> are the ports that had been previously connected...
>
> 11:03:23.343988 IP fooler.ilo.skyinet.net.1962 >
> cable-202-8-230-222.d-one.net.2911: udp 12
> 0x0000  4500 0028 a377 0000 8011 a5d5 ca4e 7642 E..(.w.......NvB
> 0x0010  ca08 e6de 07aa 0b5f 0014 c401 2700 0000 ......._....'...
> 0x0020  2980 4b61 5a61 4100                     ).KaZaA.
>
> 11:03:23.344282 IP fooler.ilo.skyinet.net.1962 > 202.8.251.31.1278: udp 12
> 0x0000  4500 0028 a378 0000 8011 9193 ca4e 7642 E..(.x.......NvB
> 0x0010  ca08 fb1f 07aa 04fe 0014 b621 2700 0000 ...........!'...
> 0x0020  2980 4b61 5a61 4100                     ).KaZaA.
>
> 11:03:23.344524 IP fooler.ilo.skyinet.net.1962 > 202.163.194.3.2844: udp
12
> 0x0000  4500 0028 a379 0000 8011 ca13 ca4e 7642 E..(.y.......NvB
> 0x0010  caa3 c203 07aa 0b1c 0014 e884 2700 0000 ............'...
> 0x0020  2980 4b61 5a61 4100                     ).KaZaA.
>
> 11:03:23.344762 IP fooler.ilo.skyinet.net.1962 > 202.69.170.153.3377: udp
12
> 0x0000  4500 0028 a37a 0000 8011 e1da ca4e 7642 E..(.z.......NvB
> 0x0010  ca45 aa99 07aa 0d31 0014 fe37 2700 0000 .E.....1...7'...
> 0x0020  2980 4b61 5a61 4100                     ).KaZaA.
>
>
>
>
> best regards,
> PeterP
>
> gadu-gadu: 818854
>         e-mail: peterp@poczta.onet.pl
>          www:  http://republika.pl/peterp
>             cell:  (++48) 606 675 729  (Mon - Fri, 8am-16pm ONLY!)
>            ICQ: 217990807
>
> -----------------------------------------------------------------------
> -----              Zapraszam na moje aukcje internetowe
>   -----
> -----         Lista auktualnych aukcji, zawsze pod
         -----
> ----- http://www.allegro.pl/show_user_auctions.php?uid=11609  -----
> -----------------------------------------------------------------------
>
>
>



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2003-10-13  9:04 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-12 15:35 how to block packets with specific words inside udp datagram??? Piotr P.
2003-10-12 16:19 ` Cedric Blancher
2003-10-12 17:50 ` Chris Brenton
2003-10-12 18:59 ` Mark E. Donaldson
2003-10-13  9:04 ` hare ram

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox