RE: filtering by packet contents?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes this is true but what you can do is this...

Patch in the "string" module as well as the "iplimit" module

Add a rule for "iplimit" to block already registered IPsfor xx seconds.
Then add a rule for SYN connections with that --string to add it's source to the iplimit table.

Usually the code red attacks aren't spoofed (from memory) and are just trying to get in.. so after the first attempt, the second/third/fourth will be automatically dropped and won't be looked at by --string since iplimit blocks before it... get it? this should not stress the CPU as much I don't think...

dunno if that made sense or would fully work 100% but it's an idea I had for other types of problems.. PSD is another one..

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@xxxxxxxxxxxxxxxxxxxxxx

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

-----Original Message-----
From: Daniel Chemko [mailto:dchemko@xxxxxxxxxx]
Sent: Wednesday, July 16, 2003 4:23 PM
To: George Vieira
Cc: cc; netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: filtering by packet contents?


George Vieira wrote:

>You can you use the p-o-m patch for the string module "-m string --string pattern"
>
>this works and can be used for some funky stuff too like redirecting 1 virtual host on a server to another server which is very handy when a particular virtual host goes down...
>
>  
>

Just keep in mind that the string patch is VERY heavy on CPU depending 
on how much traffic passes through the rule.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux