blocking a string in a packet using ipfw

Julian Elischer julian at elischer.org
Thu Sep 14 14:04:26 PDT 2006 

Willem Jan Withagen wrote:

> [ I guess I haven't been paying too much attention during ipwf class :(
>   And I got the suggestion to try FreeBSD-net@ instead of security. But
>   I'm not subscribed to this list, so please Cc: me.
> ]
>
> Hi,
>
> perhaps somebody could give some pointers.
>
> I received a call from a customer this morning that all of his 
> websites were
> no longer on line. So After some resetting and more I turnout that 
> there was a
> serious overload on his server. Over 500 clients connected. (norm is 
> 50) and
> they were all trying to get this file 777.gif. (Which is not on any of 
> the sites).
>
> After reducing the max servers to a 100, the sites are now more or 
> less up.
> Then I created a swatch script to actually block the offenders thru ipwl.
> (Which was already used to do most of the protection).
> It is already a solution, because they keep trying it multiple times.
>
>
> But it turns out that the generic name of the server is in a new virus 
> on a
> list of server to get a file from. And it's on high place in that list.
> So I can confirm that there are at least 35.000 pc's infected with this
> Bagle.FY virus. And these are now all in the block list in IPFW.


I hope you are using an ipfw table to do this..

>
> I contacted the maintainer for the generic FQDN name of the server to 
> reset
> the IP-number for that name to 127.0.0.1 but that'll take another 24 
> hours to
> propagate thru the whole of the internet.



>
> Now I'm pretty shure that ipfw does not stretch indefinitely to contain
> perhaps something like 100.000 ip-numbers (would be a nice test. :) ) 
> So I'd
> like to see if there is something to do with divert and some matching 
> on a
> string in the packet to drop those packets.
> That would prevent me from having humongous set of rules in ipfw.

use ipfw tables
one table lookup would do the job
that's one rule

>
> Or any other suggestion that would make sense.
>
> Thanx,
> --WjW
>
>
>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list