Hi Erik,
You can use mod_security, http://www.modsecurity.org/, to match strings and drop packets for your Apache web server.
An option is to use Iptables for rate limiting and mod_security for string matching and http deny.
This is my tatic, would be keen to hear of any better techniques.
HTH
Kind regards, Rudi.
erikbaar@xxxxxxxxx wrote:
Hello,
I've recently had to setup string matching to save a sever that was the subject of a virus DDOS attack, two of the domains on the server were recieving thousands of HTTP Get requests. After setting up a limit rule to slow it down and patch the kernel, I setup a filter like this:
iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET /1.jpg" -j DROP iptables -I INPUT -p tcp -d DEST_IP --dport -m string --string "GET /get.php" -j DROP
Which dropped the traffic but caused Apache to generate 408 errors for every connection that was made. First question, is there a better or alternate way to do this? I've read people have recommended against string matching before but never found a good alternative. Second, is there a way I can have IP tables on a match insert a DROP rule for the source IP address? I wrote a script which did this based out of -j LOG output but would rather have it run everything automagically.
Regards,
Erik
--
Regards, Rudi.
Internet Media Productions
