debian - IPTables hex string match to mitigate dos attack -


a server of mine has been under dos attacks past few weeks. they've starting randomizing source can't drop packets source ip anymore.

here few of packets tcpdump:

23:58:32.229878 ip (tos 0x0, ttl 242, id 21915, offset 0, flags [none], proto udp (17), length 42)     31.196.24.4.23360 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a 559b 0000 f211 2c4a 1fc4 1804  e..*u.....,j....         0x0010:  17eb f72a 5b40 adaf 0016 2e87 0001 0000  ...*[@..........         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........  00:09:46.648582 ip (tos 0x0, ttl 119, id 31037, offset 0, flags [none], proto udp (17), length 35)     98.165.122.244.64929 > x.44463: [udp sum ok] udp, length 7         0x0000:  4500 0023 793d 0000 7711 dddd 62a5 7af4  e..#y=..w...b.z.         0x0010:  17eb f72a fda1 adaf 000f 393f 0015 cf4f  ...*......9?...o         0x0020:  082b 5700 0000 0000 0000 0000 0000       .+w...........  00:15:26.680685 ip (tos 0x0, ttl 242, id 50739, offset 0, flags [none], proto udp (17), length 42)     93.187.72.7.15772 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a c633 0000 f211 4db7 5dbb 4807  e..*.3....m.].h.         0x0010:  17eb f72a 3d9c adaf 0016 de30 0001 0000  ...*=......0....         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........   00:30:52.615474 ip (tos 0x0, ttl 242, id 14833, offset 0, flags [none], proto udp (17), length 42)     73.183.53.2.22109 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a 39f1 0000 f211 0103 49b7 3502  e..*9.......i.5.         0x0010:  17eb f72a 565d adaf 0016 ec78 0001 0000  ...*v].....x....         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........  00:30:45.109025 ip (tos 0x0, ttl 242, id 30860, offset 0, flags [none], proto udp (17), length 42)     88.155.91.9.24065 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a 788c 0000 f211 8d7c 589b 5b09  e..*x......|x.[.         0x0010:  17eb f72a 5e01 adaf 0016 afe9 0001 0000  ...*^...........         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........  00:30:41.614592 ip (tos 0x0, ttl 242, id 65181, offset 0, flags [none], proto udp (17), length 42)     72.178.45.8.56959 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a fe9d 0000 f211 4555 48b2 2d08  e..*......euh.-.         0x0010:  17eb f72a de7f adaf 0016 6d55 0001 0000  ...*......mu....         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........   00:49:40.533446 ip (tos 0x0, ttl 242, id 43365, offset 0, flags [none], proto udp (17), length 42)     35.154.12.7.44781 > x.44463: [udp sum ok] udp, length 14         0x0000:  4500 002a a965 0000 f211 e0a6 239a 0c07  e..*.e......#...         0x0010:  17eb f72a aeed adaf 0016 e300 0001 0000  ...*............         0x0020:  0002 58b0 26ca 0000 01f0 0000 0000       ..x.&.........

commonly packets have length of 42 bytes, can see not "always."

the other commonality @ offset 0x010, see same pattern - 17eb f72a

the rule i've put in place try , match is:

-a input -i eth1 -p udp --dport 44463 -m string --to 42 --algo kmp --hex-string '|17ebf72a|' -j drop

however packets not seem matched against rule , still disrupting service on port.

can perhaps explain might doing incorrectly here?

i solved myself , figured i'd post solution.

i used -u32 module instead of hex string matching. particular issue used following rule:

-a input -i eth1 -p udp -d x -m u32 --u32 "16 & 0xffffffff = 0x17ebf72a" -m u32 --u32 "22 & 0xffffffff = 0xadaf0016" -m u32 --u32 "34 & 0xffffffff = 0x58b026ca" -j drop

this seems drop of traffic. it's not perfect (as can see in dump above uint @ offset 22 different in 1 packet), these packets masquerading legit data.

but digress, in context of question posed, u32 worked better hex string matching.


Comments

Post a Comment

Popular posts from this blog

asp.net mvc - SSO between MVCForum and Umbraco7 -

i need integrate sso between mvcforum (forum of company) , umbraco7 (manages cms company). however struggling shared authentication work. tried several ways suggested on other threads still not running expected. here did: 1. in mvcforum (forum.mywebsite.com) 1.1. machine key in web.xml: <machinekey validationkey="the same key umbraco7" decryptionkey="the same key umbraco7" validation="sha1" decryption="aes" /> 1.2. authenticate forms in web.xml <forms name="my-sso-auth" protection="all" path="/" timeout="43200" domain="forum.mywebsite.com" loginurl="/members/logon" enablecrossappredirects="true" /> 2. in umbraco7 (news.mywebsite.com) 2.1. machine key in web.xml: <machinekey validationkey="the same key mvcforum" decryptionkey="the same key mvcforum" validation="sha1" decryption="aes" /> 2.2. a
Read more

Python Tkinter keyboard using bind -

i have problem using bind option can click button in keyboard, , call function once key pressed. tried taking other codes have similar purpose , saw i'm doing pretty same, though still have problem must've missed. thankful if me this. here's code: # -*- coding: utf-8 -*- #imports tkinter import * pil import imagetk, image import time import tkmessagebox #===========================================================================================================================================# #tkinter class class app(frame): def __init__(self, master=none): frame.__init__(self, master) self.pack() #===========================================================================================================================================# #game pieces classes class board: def __init__(self, rows = 7, columns = 6, picture_height = none, picture_width = none): self.rows = rows self.columns = columns self.picture
Read more

ubuntu - Selenium Node Not Connecting to Hub, Not Opening Port -

i'm trying set demo selenium grid. have digital ocean ubuntu 14.02 droplet. (i have 2 , tried set using 2 different machines got nowhere.) i'm trying run hub , node both locally. here input both hub, node, , nmap results. https://gist.github.com/mekhami/d5bbecca5ff0de9d2dc9 so, node starting tcp connection reset , port it's supposed operate on closed. i have had no luck in number of different options , configurations work. but... of course, worked randomly once. don't know why, don't know did, know 1 brief moment, node connected , saw on grid console. tried run test , went down again , i've never seen come up. please let me know more information can provide. update: randomly came online again. don't know happened, might related timeout or time_wait or going on. this because vm/server not have enough entropy available. to resolve problem, install haveged (or other similar things). the instructions of how install haveged on ubu
Read more