[Firewall] Possible to Block POST Attacks by User Agent String?

Gene Cooper gcooper at sonoracomm.com
Fri Sep 13 18:30:21 CEST 2013

OK, thanks very much for the tip.

Yesterday, I used the .htaccess file on the web server to block the POST 
attacks, which worked, more or less.

The attack does continue unabated, even though the web server is handing 
out 403 errors.  My Apache logs are still being trashed but CPU 
utilization is back down to normal.

I'll look into the xtables addon too.  I'm not aware of what it is.



On 09/12/2013 11:10 PM, Alex Aune wrote:
> On 12.09.2013 19:24, Gene Cooper wrote:
>> Hi folks,
>> Our web server is under an attack by a botnet with this string showing
>> up the the Apache access log (from many IP addresses):
>> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
>> Can anyone clue me in as to how we might block this attack?
>> Thanks in advance,
>> G
> Hi Gene,
> I image you can use something along the lines of:
> iptables -t raw -A PREROUTING -m string --algo bm --string "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -j DROP
> Or, based on what's being posted to:
> iptables -t raw -A PREROUTING -m string --algo bm --string "POST
> /path/script.cgi HTTP/1.0" -j DROP
> Provided that you have xtables-addons
> (http://xtables-addons.sourceforge.net)
> I haven't tested it as I don't have access to any running webservers at
> the moment, but I've used something similar for filtering torrents based
> on their headers before. That being said, I don't know if this would
> help mitigate the attack though.
> Regards,
> Alex
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl


Gene Cooper
Sonora Communications, Inc.
936 W. Prince Road
Tucson, AZ 85705

(520)407-2000 x101
(520)888-4060 fax

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130913/b98aedf8/attachment.bin>

More information about the Firewall mailing list