Virus Attack & String Matching

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I've recently had to setup string matching to save a sever that was
the subject of a virus DDOS attack, two of the domains on the server
were recieving thousands of HTTP Get requests.  After setting up a
limit rule to slow it down and patch the kernel, I setup a filter like
this:

iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET
/1.jpg" -j DROP
iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET
/get.php" -j DROP

Which dropped the traffic but caused Apache to generate 408 errors for
every connection that was made.  First question, is there a better or
alternate way to do this?  I've read people have recommended against
string matching before but never found a good alternative.  Second, is
there a way I can have IP tables on a match insert a DROP rule for the
source IP address?  I wrote a script which did this based out of -j
LOG output but would rather have it run everything automagically.

Regards,

Erik


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux