Virus Attack & String Matching

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Virus Attack & String Matching
@ 2004-08-06  6:09 erikbaar
  2004-08-06  6:21 ` Rudi Starcevic
  0 siblings, 1 reply; 2+ messages in thread
From: erikbaar @ 2004-08-06  6:09 UTC (permalink / raw)
  To: netfilter

Hello,

I've recently had to setup string matching to save a sever that was
the subject of a virus DDOS attack, two of the domains on the server
were recieving thousands of HTTP Get requests.  After setting up a
limit rule to slow it down and patch the kernel, I setup a filter like
this:

iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET
/1.jpg" -j DROP
iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET
/get.php" -j DROP

Which dropped the traffic but caused Apache to generate 408 errors for
every connection that was made.  First question, is there a better or
alternate way to do this?  I've read people have recommended against
string matching before but never found a good alternative.  Second, is
there a way I can have IP tables on a match insert a DROP rule for the
source IP address?  I wrote a script which did this based out of -j
LOG output but would rather have it run everything automagically.

Regards,

Erik

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Virus Attack & String Matching
  2004-08-06  6:09 Virus Attack & String Matching erikbaar
@ 2004-08-06  6:21 ` Rudi Starcevic
  0 siblings, 0 replies; 2+ messages in thread
From: Rudi Starcevic @ 2004-08-06  6:21 UTC (permalink / raw)
  To: ebaar; +Cc: netfilter

Hi Erik,

You can use mod_security, http://www.modsecurity.org/,
to match strings and drop packets for your Apache web server.

An option is to use Iptables for rate limiting and mod_security
for string matching and http deny.

This is my tatic, would be keen to hear of any better techniques.

HTH

Kind regards,
Rudi.

erikbaar@gmail.com wrote:

> Hello,
> 
> I've recently had to setup string matching to save a sever that was
> the subject of a virus DDOS attack, two of the domains on the server
> were recieving thousands of HTTP Get requests.  After setting up a
> limit rule to slow it down and patch the kernel, I setup a filter like
> this:
> 
> iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET
> /1.jpg" -j DROP
> iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET
> /get.php" -j DROP
> 
> Which dropped the traffic but caused Apache to generate 408 errors for
> every connection that was made.  First question, is there a better or
> alternate way to do this?  I've read people have recommended against
> string matching before but never found a good alternative.  Second, is
> there a way I can have IP tables on a match insert a DROP rule for the
> source IP address?  I wrote a script which did this based out of -j
> LOG output but would rather have it run everything automagically.
> 
> Regards,
> 
> Erik
> 
> 
> 


-- 

Regards,
Rudi.

Internet Media Productions


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2004-08-06  6:21 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-06  6:09 Virus Attack & String Matching erikbaar
2004-08-06  6:21 ` Rudi Starcevic

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox