0

Currently I have all these IPs coming in. Is there a way to find a common string in the content of the packets and then block the attack via IPTables?

Oct 24 16:28:52 host kernel: [  823.255566] Firewall: *SYNFLOOD Blocked* IN=eth0 OUT= MAC= SRC=176.3.80.132 DST=28.7.4.90 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=28861 PROTO=TCP SPT=1234 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 16:28:54 host kernel: [  825.252398] Firewall: *SYNFLOOD Blocked* IN=eth0 OUT= MAC= SRC=61.54.230.5 DST=28.7.4.90 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=56117 PROTO=TCP SPT=1234 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 16:28:56 host kernel: [  827.249315] Firewall: *SYNFLOOD Blocked* IN=eth0 OUT= MAC= SRC=88.59.138.26 DST=28.7.4.90 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=43596 PROTO=TCP SPT=1234 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 16:28:58 host kernel: [  829.246167] Firewall: *SYNFLOOD Blocked* IN=eth0 OUT= MAC= SRC=40.64.113.72 DST=28.7.4.90 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=2417 PROTO=TCP SPT=1234 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 16:29:00 host kernel: [  831.243043] Firewall: *SYNFLOOD Blocked* IN=eth0 OUT= MAC= SRC=128.251.121.17 DST=28.7.4.90 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=34268 PROTO=TCP SPT=1234 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 16:29:02 host kernel: [  833.239921] Firewall: *SYNFLOOD Blocked* IN=eth0 OUT= MAC= SRC=68.242.45.172 DST=28.7.4.90 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=31174 PROTO=TCP SPT=1234 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 16:29:04 host kernel: [  835.236802] Firewall: *SYNFLOOD Blocked* IN=eth0 OUT= MAC= SRC=23.229.207.247 DST=28.7.4.90 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=60655 PROTO=TCP SPT=1234 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 16:29:06 host kernel: [  837.233621] Firewall: *SYNFLOOD Blocked* IN=eth0 OUT= MAC= SRC=180.97.21.206 DST=28.7.4.90 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=47914 PROTO=TCP SPT=1234 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 16:29:08 host kernel: [  839.230530] Firewall: *SYNFLOOD Blocked* IN=eth0 OUT= MAC= SRC=110.248.74.43 DST=28.7.4.90 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=30942 PROTO=TCP SPT=1234 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

I can use tcpdump like this right?

tcpdump -ni eth0 -w file.cap -s 0 -c 1000 not port 80
Jeff Ferland
  • 20,547
  • 2
  • 62
  • 85
Thompson Smith
  • 49
  • 2
  • 6
  • 1
    Given the comment `*SYNFLOOD Blocked*` it seems to me like the packets are already blocked. Since it is already blocked, I am not sure what you are trying to do. – Zoredache Oct 24 '12 at 21:24

1 Answers1

4

No.

This idea to use a regular expression and iptables to thwart a DDoS is a bad approach to the problem.

You deal with a DDoS by getting your ISP/provider to drop the traffic. Once it's reached your server, it's already accomplished what it set out to do, which is waste resources (bandwidth, processing power, etc.). Using a regex at this point will have no effect on the attack, and only waste more processing power, as well as block traffic on any false positives you detect. So don't do this.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • 2
    HoplessN00b is right, here. If you're already receiving the packets on your interface, they're still causing you heartburn even if you block them at the firewall, since those packets have still passed on the wire heading to your systems. The better answer is to get your upstream provider to block it, if you can. – Peter Grace Oct 24 '12 at 20:58
  • @HopelessN00b: you dont know if they are sharing any pattern in common because the guy did not show us any packet information. Regular expression (string module) is proved to solve some complicated ddos problems ;) Thompson Smith: can you show us some packets (one per host) using -vvvXX flags on tcpdump? – Hex Oct 24 '12 at 21:11
  • 2
    @Hex the question, as original asked was `Currently I have all these IPs coming in. Is there a way to find a common string in them and then block the attack via IPTables?` And the IPs have no common string in them, hence my original answer to that effect. As the question has been edited to ask the actual question, I've edited my answer accordingly. It's still a bad idea, and for the same reason. – HopelessN00b Oct 24 '12 at 21:13