Re: Virus Attack & String Matching
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
You can use mod_security, http://www.modsecurity.org/, to match strings and drop packets for your Apache web server.
An option is to use Iptables for rate limiting and mod_security for string matching and http deny.
This is my tatic, would be keen to hear of any better techniques.
Kind regards, Rudi.
I've recently had to setup string matching to save a sever that was the subject of a virus DDOS attack, two of the domains on the server were recieving thousands of HTTP Get requests. After setting up a limit rule to slow it down and patch the kernel, I setup a filter like this:
iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET /1.jpg" -j DROP iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET /get.php" -j DROP
Which dropped the traffic but caused Apache to generate 408 errors for every connection that was made. First question, is there a better or alternate way to do this? I've read people have recommended against string matching before but never found a good alternative. Second, is there a way I can have IP tables on a match insert a DROP rule for the source IP address? I wrote a script which did this based out of -j LOG output but would rather have it run everything automagically.
Internet Media Productions