[Firewall] Possible to Block POST Attacks by User Agent String?

Gene Cooper gcooper at sonoracomm.com
Fri Sep 13 20:23:41 CEST 2013


Sorry about the double posting.

I spoke too soon about the firewall commands.

The text strings are too generic (POST and UA) and too much valid 
traffic was being blocked, so I'm giving up on the firewall commands for 
now, leaving the web server to deal with it (403 forbidden based on UA 
string).

Hopefully the botnet will give up soon.

This has been more difficult than previous attacks...

Thanks,

G

On 09/13/2013 10:06 AM, Gene Cooper wrote:
> Alex,
>
> Thanks again for the tips.
>
> After determining that xtables-addons is not available for CentOS 5, I
> dug into it a bit and I didn't see why your suggested commands would not
> work.
>
> So I just tried the first one (User Agent string) verbatim from the
> command line and it seems to work perfectly.
>
> Now I have to add it to Arno's FW (though I have never tried adding
> custom commands to AFW before).
>
> THANKS!
>
> G
>
> On 09/13/2013 09:30 AM, Gene Cooper wrote:
>> OK, thanks very much for the tip.
>>
>> Yesterday, I used the .htaccess file on the web server to block the POST
>> attacks, which worked, more or less.
>>
>> The attack does continue unabated, even though the web server is handing
>> out 403 errors.  My Apache logs are still being trashed but CPU
>> utilization is back down to normal.
>>
>> I'll look into the xtables addon too.  I'm not aware of what it is.
>>
>> Thanks,
>>
>> G
>>
>> On 09/12/2013 11:10 PM, Alex Aune wrote:
>>> On 12.09.2013 19:24, Gene Cooper wrote:
>>>> Hi folks,
>>>>
>>>> Our web server is under an attack by a botnet with this string showing
>>>> up the the Apache access log (from many IP addresses):
>>>>
>>>> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
>>>>
>>>> Can anyone clue me in as to how we might block this attack?
>>>>
>>>> Thanks in advance,
>>>>
>>>> G
>>>
>>> Hi Gene,
>>>
>>> I image you can use something along the lines of:
>>> iptables -t raw -A PREROUTING -m string --algo bm --string "Mozilla/4.0
>>> (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -j DROP
>>> Or, based on what's being posted to:
>>> iptables -t raw -A PREROUTING -m string --algo bm --string "POST
>>> /path/script.cgi HTTP/1.0" -j DROP
>>> Provided that you have xtables-addons
>>> (http://xtables-addons.sourceforge.net)
>>>
>>> I haven't tested it as I don't have access to any running webservers at
>>> the moment, but I've used something similar for filtering torrents based
>>> on their headers before. That being said, I don't know if this would
>>> help mitigate the attack though.
>>>
>>> Regards,
>>> Alex
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
>>
>>
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>
>
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>

-- 

===========================
Gene Cooper
Sonora Communications, Inc.
936 W. Prince Road
Tucson, AZ 85705

(520)407-2000 x101
(520)888-4060 fax

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130913/f43c58fe/attachment.bin>


More information about the Firewall mailing list