blocking a string in a packet using ipfw
Willem Jan Withagen
wjw at digiware.nl
Thu Sep 14 06:28:15 PDT 2006
[ I guess I haven't been paying too much attention during ipwf class :(
And I got the suggestion to try FreeBSD-net@ instead of security. But
I'm not subscribed to this list, so please Cc: me.
]
Hi,
perhaps somebody could give some pointers.
I received a call from a customer this morning that all of his websites were
no longer on line. So After some resetting and more I turnout that there was a
serious overload on his server. Over 500 clients connected. (norm is 50) and
they were all trying to get this file 777.gif. (Which is not on any of the sites).
After reducing the max servers to a 100, the sites are now more or less up.
Then I created a swatch script to actually block the offenders thru ipwl.
(Which was already used to do most of the protection).
It is already a solution, because they keep trying it multiple times.
But it turns out that the generic name of the server is in a new virus on a
list of server to get a file from. And it's on high place in that list.
So I can confirm that there are at least 35.000 pc's infected with this
Bagle.FY virus. And these are now all in the block list in IPFW.
I contacted the maintainer for the generic FQDN name of the server to reset
the IP-number for that name to 127.0.0.1 but that'll take another 24 hours to
propagate thru the whole of the internet.
Now I'm pretty shure that ipfw does not stretch indefinitely to contain
perhaps something like 100.000 ip-numbers (would be a nice test. :) ) So I'd
like to see if there is something to do with divert and some matching on a
string in the packet to drop those packets.
That would prevent me from having humongous set of rules in ipfw.
Or any other suggestion that would make sense.
Thanx,
--WjW
More information about the freebsd-net
mailing list