-2

I need to block certain TCP packets by trying to find a string match in and on them. Is there a way to do that with TCPDump? Or do I need wireshare install on my linux server?

One I have the string IPtables can be used to block a string If I remember correctly.

So far I have:

tcpdump -nn -vvv host 1.2.3.4

and I got:

01:05:19.877633 IP (tos 0x0, ttl 247, id 42359, offset 0, flags [none], proto TCP (6), length 40)
    202.100.175.28.25802 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4d11), seq 3965212002, win 0, length 0
01:05:19.877742 IP (tos 0x0, ttl 247, id 42408, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877761 IP (tos 0x0, ttl 247, id 42409, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877774 IP (tos 0x0, ttl 247, id 42410, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877786 IP (tos 0x0, ttl 247, id 42411, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877790 IP (tos 0x0, ttl 247, id 42501, offset 0, flags [none], proto TCP (6), length 40)
    70.128.88.59.32838 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x0c5b), seq 3965212002, win 0, length 0
01:05:19.877806 IP (tos 0x0, ttl 247, id 42421, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877811 IP (tos 0x0, ttl 247, id 42498, offset 0, flags [none], proto TCP (6), length 40)
    84.202.131.145.51796 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x1325), seq 689933859, win 0, length 0
01:05:19.877824 IP (tos 0x0, ttl 247, id 42423, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877837 IP (tos 0x0, ttl 247, id 42431, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877847 IP (tos 0x0, ttl 247, id 42433, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877856 IP (tos 0x0, ttl 247, id 42437, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877867 IP (tos 0x0, ttl 247, id 42424, offset 0, flags [none], proto TCP (6), length 40)
    80.188.185.57.48208 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6516), seq 3965212002, win 0, length 0
01:05:19.877876 IP (tos 0x0, ttl 247, id 42432, offset 0, flags [none], proto TCP (6), length 40)
    80.188.185.57.48208 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6516), seq 3965212002, win 0, length 0
01:05:19.877885 IP (tos 0x0, ttl 247, id 42440, offset 0, flags [none], proto TCP (6), length 40)
    80.188.185.57.48208 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6516), seq 3965212002, win 0, length 0
01:05:19.878036 IP (tos 0x0, ttl 247, id 42518, offset 0, flags [none], proto TCP (6), length 40)
    70.128.88.59.32838 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x0c5b), seq 3965212002, win 0, length 0
01:05:19.878060 IP (tos 0x0, ttl 247, id 42530, offset 0, flags [none], proto TCP (6), length 40)
    70.128.88.59.32838 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x0c5b), seq 3965212002, win 0, length 0
01:05:19.878075 IP (tos 0x0, ttl 247, id 42578, offset 0, flags [none], proto TCP (6), length 40)
    32.210.70.16.53792 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x8d66), seq 1934111590, win 0, length 0
01:05:19.878174 IP (tos 0x0, ttl 247, id 42602, offset 0, flags [none], proto TCP (6), length 40)
    113.109.132.187.28017 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x62cf), seq 1934111590, win 0, length 0
01:05:19.878312 IP (tos 0x0, ttl 247, id 42586, offset 0, flags [none], proto TCP (6), length 40)
    32.210.70.16.53792 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x8d66), seq 1934111590, win 0, length 0
01:05:19.878501 IP (tos 0x0, ttl 247, id 42739, offset 0, flags [none], proto TCP (6), length 40)
    57.244.187.18.62521 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0xdd28), seq 1934111590, win 0, length 0
01:05:19.878527 IP (tos 0x0, ttl 247, id 42742, offset 0, flags [none], proto TCP (6), length 40)^C
    57.244.187.18.62521 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0xdd28), seq 1934111590, win 0, length 0

so I do this:

iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 1.2.3.4 -m ttl --ttl-eq=247 -j DROP

Am I on the right track to block a DDoS? So far it does not seem to be working.

Jake Thomas
  • 105
  • 2
  • 3
  • 6
  • You said you wanted to block based on a string, but you haven't used a string in you question example? `tcpdump` will capture packets based on the filter options you provide it. If you want to filter packets by looking for a specific string consider using `ngrep`, it's much better than `tcpdump` for this. If you want to create an `iptables` rules that blocks by a string you need to be more specific. What string, a string within a packet? In the example you have given you are blocking by destination IP. What are you trying to achieve here? If it is DDoS mitigation then yes you can block by a... – jwbensley Apr 18 '13 at 08:57
  • string. Change your `tcpdump` command to something like `tcpdump -nlASX -s 0 -vvv port 80` and assuming these are HTTP requests you could block the string for the HTTP requests. You would need to find something unique about these attacks, a pattern to match, to give you something to filter and block by. – jwbensley Apr 18 '13 at 08:58
  • 1
    Whether or not you're on the right track to block a DDoS depends on how the DDoS is hurting you. For example, if it's hurting you by saturating your inbound bandwidth and this filter is on your side of that link, you're totally on the wrong track because the attack packets have already consumed your inbound bandwidth before you drop them! – David Schwartz Apr 18 '13 at 09:38

2 Answers2

3

I want just to clarify that blocking any type of traffic does not require using traffic capturing tool like tcpdump or wireshark. You need to use a firewall like Linux netfilter.

If you already know the string you want to block, you can use the -m string module in iptables. For example,

sudo iptables -A INPUT -m string --alog bm --string attack_string -j DROP

The above rule appends a new rule to the input chain to drop packets containing attack_string in any position. You need to be careful about using this technique to avoid denying legitimate traffic. You may preferably specify --from and --to for more accurate matching. This is well documented in man iptables.

Khaled
  • 36,533
  • 8
  • 72
  • 99
0

tcpdump is one of the standard tools for this (i.e. looking at packets to find e.g. a string in them). Remember to us the flag -s 0 to capture the entire packet. I usually write the captured packets to a file (e.g. tcpdump -s 0 -w /tmp/tcpdump.out), so I can then read through the file at my leisure (tcpdump -r /tmp/tcpdump.out -A | more).

Jenny D
  • 27,780
  • 21
  • 75
  • 114
  • Tcpdump is a standard tool for blocking packets? I think not. – EEAA Apr 18 '13 at 05:08
  • No, but for reading the packet to find the strings that will then be used in iptables to block the packet. Which was the actual question being asked. – Jenny D Apr 18 '13 at 05:08