[Firewall] Possible to Block POST Attacks by User Agent String?

Alex Aune lists at aewne.net
Fri Sep 13 12:01:47 CEST 2013

On 13.09.2013 08:10, Alex Aune wrote:
> On 12.09.2013 19:24, Gene Cooper wrote:
>> Hi folks,
>> Our web server is under an attack by a botnet with this string showing
>> up the the Apache access log (from many IP addresses):
>> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
>> Can anyone clue me in as to how we might block this attack?
>> Thanks in advance,
>> G
> Hi Gene,
> I image you can use something along the lines of:
> iptables -t raw -A PREROUTING -m string --algo bm --string
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -j DROP
> Or, based on what's being posted to:
> iptables -t raw -A PREROUTING -m string --algo bm --string "POST
> /path/script.cgi HTTP/1.0" -j DROP
> Provided that you have xtables-addons 
> (http://xtables-addons.sourceforge.net)
> I haven't tested it as I don't have access to any running webservers
> at the moment, but I've used something similar for filtering torrents
> based on their headers before. That being said, I don't know if this
> would help mitigate the attack though.
> Regards,
> Alex

Actually, after doing some digging it turns out you don't need xtables 
to use the string module.

On another note, I setup an apache server and the rule provided did seem 
to work. Whether it's effective when handling huge amounts of traffic 
from a botnet is still unknown to me though. As is what kind of 
performance hit this type of filtering on a massive scale causes.


More information about the Firewall mailing list