TTL Match?

Post Reply
felosi
Junior Member
Posts: 40
Joined: 26 Jan 2007, 07:44

TTL Match?

Post by felosi »

Probably un-needed by most people but I could use something like this. If it wouldnt add no bulk or anything that would cause problems id really like to see this.

Would be good in case you have an ip under attack, you could examine tcpdump and see if there is a pattern in TTL which there usually is with some ddos tools/bots.

Or maybe advanced options for the PF feature that includes something like this?

thanks
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

The problem with using tcpdump and examining the protocol at that level is performance overhead. Knowing when to activate such functionality and using it would be tricky and might be better left to the likes of SNORT or, better yet, at the NOC router/firewall level where such traffic analysis is best done.
felosi
Junior Member
Posts: 40
Joined: 26 Jan 2007, 07:44

Post by felosi »

Yes and I found out that its highly unreliable as well as blocking legit users

I did howver find a real useful match that can be added.

String match
For example last night I had a customer getting hit with a ferocious POST attack. First the bots were posting liek index.php?=dir , etc. So I setup mod_security to block it. Did a good job but logs were so huge.
I had customer change the name of their index and added a string rule like this

iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -d clients.server.ip -m string --algo bm --string "index.php"

And it worked flawlessly.

Again though, probably an advanced feature not useful to most average admins but sure was a lifesaver for me last nght.

Probably no reasoin to add thse advanced rules, csfpre.sh ha always done its job. However if you ever make any docs for csf and handling ddos attacks some things like this would be good to add.
Post Reply