[Firewall] Possible to Block POST Attacks by User Agent String?

Alex Aune lists at aewne.net
Fri Sep 13 08:10:28 CEST 2013


On 12.09.2013 19:24, Gene Cooper wrote:
> Hi folks,
> 
> Our web server is under an attack by a botnet with this string showing
> up the the Apache access log (from many IP addresses):
> 
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
> 
> Can anyone clue me in as to how we might block this attack?
> 
> Thanks in advance,
> 
> G

Hi Gene,

I image you can use something along the lines of:
iptables -t raw -A PREROUTING -m string --algo bm --string "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1; SV1)" -j DROP
Or, based on what's being posted to:
iptables -t raw -A PREROUTING -m string --algo bm --string "POST 
/path/script.cgi HTTP/1.0" -j DROP
Provided that you have xtables-addons 
(http://xtables-addons.sourceforge.net)

I haven't tested it as I don't have access to any running webservers at 
the moment, but I've used something similar for filtering torrents based 
on their headers before. That being said, I don't know if this would 
help mitigate the attack though.

Regards,
Alex


More information about the Firewall mailing list