Ryan Castellucci wrote:
On 5/7/06, Andrew Beverley <andy@xxxxxxxxxxx> wrote:
After varying degrees of success with p2p detection modules, I
would like to write the following rules using iptables to reliably
identify p2p traffic:
1. If a host on the network has 5 or more simutaneous tcp
connections to ports above 1024, mark all connections to ports 1024
and above as 60.
2. If a host has received (or sent) UDP packets from 5 different
hosts' ports above 1024 in a minute then classify all UDP traffic
to and from that host above port 1024 as 60.
Number 1 can almost be acheived using something similar to:
iptables .. --dport 1024: -m connlimit --connlimit-above 5 -j MARK
--set-mark 60
Unfortunately though it still leaves 5 connections slurping up
plenty of bandwidth.
I have no ideas for number 2.
Anybody any ideas?
Take a look at the 'recent' and 'set' stuff. You can use it to
create groups of 'naughty' users and match against those groups.
Recent is probably better in this case.
I achieved most of this with 'set'. I create an iptree ipset list that
times out after 60 seconds. If the above are detected then the user's IP
address is added to the ipset, and any subsequent traffic from the user
destined to or from ports above 1024 is marked at a lower priority.
The one thing I haven't managed yet is detecting many different UDP
ports within a set time period. Instead I match on UDP traffic packets
longer then 1000 bytes, which seems to work on the whole but I'd like to
get it to detect on different port numbers as it is less likely to over
match.
Andy
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
