Hello, I've recently had to setup string matching to save a sever that was the subject of a virus DDOS attack, two of the domains on the server were recieving thousands of HTTP Get requests. After setting up a limit rule to slow it down and patch the kernel, I setup a filter like this: iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET /1.jpg" -j DROP iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET /get.php" -j DROP Which dropped the traffic but caused Apache to generate 408 errors for every connection that was made. First question, is there a better or alternate way to do this? I've read people have recommended against string matching before but never found a good alternative. Second, is there a way I can have IP tables on a match insert a DROP rule for the source IP address? I wrote a script which did this based out of -j LOG output but would rather have it run everything automagically. Regards, Erik
