debian - IPTables hex string match to mitigate dos attack -


a server of mine has been under dos attacks past few weeks. they've starting randomizing source can't drop packets source ip anymore.

here few of packets tcpdump:

23:58:32.229878 ip (tos 0x0, ttl 242, id 21915, offset 0, flags [none], proto udp (17), length 42)     31.196.24.4.23360 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a 559b 0000 f211 2c4a 1fc4 1804  e..*u.....,j....         0x0010:  17eb f72a 5b40 adaf 0016 2e87 0001 0000  ...*[@..........         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........  00:09:46.648582 ip (tos 0x0, ttl 119, id 31037, offset 0, flags [none], proto udp (17), length 35)     98.165.122.244.64929 > x.44463: [udp sum ok] udp, length 7         0x0000:  4500 0023 793d 0000 7711 dddd 62a5 7af4  e..#y=..w...b.z.         0x0010:  17eb f72a fda1 adaf 000f 393f 0015 cf4f  ...*......9?...o         0x0020:  082b 5700 0000 0000 0000 0000 0000       .+w...........  00:15:26.680685 ip (tos 0x0, ttl 242, id 50739, offset 0, flags [none], proto udp (17), length 42)     93.187.72.7.15772 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a c633 0000 f211 4db7 5dbb 4807  e..*.3....m.].h.         0x0010:  17eb f72a 3d9c adaf 0016 de30 0001 0000  ...*=......0....         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........   00:30:52.615474 ip (tos 0x0, ttl 242, id 14833, offset 0, flags [none], proto udp (17), length 42)     73.183.53.2.22109 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a 39f1 0000 f211 0103 49b7 3502  e..*9.......i.5.         0x0010:  17eb f72a 565d adaf 0016 ec78 0001 0000  ...*v].....x....         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........  00:30:45.109025 ip (tos 0x0, ttl 242, id 30860, offset 0, flags [none], proto udp (17), length 42)     88.155.91.9.24065 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a 788c 0000 f211 8d7c 589b 5b09  e..*x......|x.[.         0x0010:  17eb f72a 5e01 adaf 0016 afe9 0001 0000  ...*^...........         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........  00:30:41.614592 ip (tos 0x0, ttl 242, id 65181, offset 0, flags [none], proto udp (17), length 42)     72.178.45.8.56959 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a fe9d 0000 f211 4555 48b2 2d08  e..*......euh.-.         0x0010:  17eb f72a de7f adaf 0016 6d55 0001 0000  ...*......mu....         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........   00:49:40.533446 ip (tos 0x0, ttl 242, id 43365, offset 0, flags [none], proto udp (17), length 42)     35.154.12.7.44781 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a a965 0000 f211 e0a6 239a 0c07  e..*.e......#...         0x0010:  17eb f72a aeed adaf 0016 e300 0001 0000  ...*............         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........

commonly packets have length of 42 bytes, can see not "always."

the other commonality @ offset 0x010, see same pattern - 17eb f72a

the rule i've put in place try , match is:

-a input -i eth1 -p udp --dport 44463 -m string --to 42 --algo kmp --hex-string '|17ebf72a|' -j drop

however packets not seem matched against rule , still disrupting service on port.

can perhaps explain might doing incorrectly here?

i solved myself , figured i'd post solution.

i used -u32 module instead of hex string matching. particular issue used following rule:

-a input -i eth1 -p udp -d x -m u32 --u32 "16 & 0xffffffff = 0x17ebf72a" -m u32 --u32 "22 & 0xffffffff = 0xadaf0016" -m u32 --u32 "34 & 0xffffffff = 0x58b026ca" -j drop

this seems drop of traffic. it's not perfect (as can see in dump above uint @ offset 22 different in 1 packet), these packets masquerading legit data.

but digress, in context of question posed, u32 worked better hex string matching.


Comments

Post a Comment

Popular posts from this blog

jquery - How do you format the date used in the popover widget title of FullCalendar? -

Image
in fullcalendar, how format date used in popover widget title when clicking '+n more'? code: <div class="fc-popover fc-more-popover"> <div class="fc-header fc-widget-header"> <span class="fc-close fc-icon fc-icon-x"></span> <span class="fc-title">tuesday, april 7</span> ... </div> ... </div> you use daypopoverformat that. determines date format of title of popover created eventlimitclick option. must date formatting string. default value "dddd, mmmm d" english , "ll" other languages.
Read more

Bubble Sort Manually a Linked List in Java -

Image
this first question here. trying manually sort linked list of integers in java , can not figure out wrong code. suggestions? don't error, still have output unordered. tried few different ways, nothing worked. appreciate if can me that. public class node { int data; node nextnode; public node(int data) { this.data = data; this.nextnode = null; } public int getdata() { return this.data; } } // node class public class datalinkedlist implements datainterface { private node head; private int size; public datalinkedlist(){ this.head = null; this.size = 0; } public void add(int data) { node node = new node(data); if (head == null) { head = node; } else { node currentnode = head; while(currentnode.nextnode != null) { currentnode = currentnode.nextnode; } currentnode.nextnode = node; ...
Read more

asp.net mvc - SSO between MVCForum and Umbraco7 -

i need integrate sso between mvcforum (forum of company) , umbraco7 (manages cms company). however struggling shared authentication work. tried several ways suggested on other threads still not running expected. here did: 1. in mvcforum (forum.mywebsite.com) 1.1. machine key in web.xml: <machinekey validationkey="the same key umbraco7" decryptionkey="the same key umbraco7" validation="sha1" decryption="aes" /> 1.2. authenticate forms in web.xml <forms name="my-sso-auth" protection="all" path="/" timeout="43200" domain="forum.mywebsite.com" loginurl="/members/logon" enablecrossappredirects="true" /> 2. in umbraco7 (news.mywebsite.com) 2.1. machine key in web.xml: <machinekey validationkey="the same key mvcforum" decryptionkey="the same key mvcforum" validation="sha1" decryption="aes" /> 2.2. a...
Read more