[Firewall] Possible to Block POST Attacks by User Agent String?

Lonnie Abelbeck lists at lonnie.abelbeck.com
Fri Sep 13 20:18:51 CEST 2013


Hi Alex and Gene,

First, Thanks to Alex for the useful suggestion.  Alex, may I ask why you are using the 'raw' PREROUTING table to drop the packets ?  Would some say only NOTRACK is a proper target in that table ?  I'd be interested in your comments.

Gene, when creating a custom-rule for AIF, pending Alex's response, I'd suggest using the 'filter' INPUT / FORWARD chain for your rule, for example something like:

-- /etc/arno-iptables-firewall/custom-rules --
match_string='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)'
echo "[CUSTOM RULE] Drop incoming packet matches of string: $match_string"
iptables -A INPUT -m string --algo bm --string "$match_string" -j DROP
iptables -A FORWARD -m string --algo bm --string "$match_string" -j DROP
--
Note: If the web server is on the AIF box, only use INPUT, else only use FORWARD for efficiency.

Note: 'Adding with -A is fine since the chains are flushed when the custom-rules script is called.

You might also look into adding a "--to offset" value to limit the depth of the search in the packet to make the string matching more efficient.

Lonnie


On Sep 13, 2013, at 12:06 PM, Gene Cooper wrote:

> Alex,
> 
> Thanks again for the tips.
> 
> After determining that xtables-addons is not available for CentOS 5, I dug into it a bit and I didn't see why your suggested commands would not work.
> 
> So I just tried the first one (User Agent string) verbatim from the command line and it seems to work perfectly.
> 
> Now I have to add it to Arno's FW (though I have never tried adding custom commands to AFW before).
> 
> THANKS!
> 
> G
> 
> On 09/13/2013 09:30 AM, Gene Cooper wrote:
>> OK, thanks very much for the tip.
>> 
>> Yesterday, I used the .htaccess file on the web server to block the POST
>> attacks, which worked, more or less.
>> 
>> The attack does continue unabated, even though the web server is handing
>> out 403 errors.  My Apache logs are still being trashed but CPU
>> utilization is back down to normal.
>> 
>> I'll look into the xtables addon too.  I'm not aware of what it is.
>> 
>> Thanks,
>> 
>> G
>> 
>> On 09/12/2013 11:10 PM, Alex Aune wrote:
>>> On 12.09.2013 19:24, Gene Cooper wrote:
>>>> Hi folks,
>>>> 
>>>> Our web server is under an attack by a botnet with this string showing
>>>> up the the Apache access log (from many IP addresses):
>>>> 
>>>> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
>>>> 
>>>> Can anyone clue me in as to how we might block this attack?
>>>> 
>>>> Thanks in advance,
>>>> 
>>>> G
>>> 
>>> Hi Gene,
>>> 
>>> I image you can use something along the lines of:
>>> iptables -t raw -A PREROUTING -m string --algo bm --string "Mozilla/4.0
>>> (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -j DROP
>>> Or, based on what's being posted to:
>>> iptables -t raw -A PREROUTING -m string --algo bm --string "POST
>>> /path/script.cgi HTTP/1.0" -j DROP
>>> Provided that you have xtables-addons
>>> (http://xtables-addons.sourceforge.net)
>>> 
>>> I haven't tested it as I don't have access to any running webservers at
>>> the moment, but I've used something similar for filtering torrents based
>>> on their headers before. That being said, I don't know if this would
>>> help mitigate the attack though.
>>> 
>>> Regards,
>>> Alex
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>> 
> 
> -- 
> 
> ===========================
> Gene Cooper
> Sonora Communications, Inc.
> 936 W. Prince Road
> Tucson, AZ 85705
> 
> (520)407-2000 x101
> (520)888-4060 fax
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list