Page 1 of 1
TTL Match?
Posted: 03 Jan 2008, 06:48
by felosi
Probably un-needed by most people but I could use something like this. If it wouldnt add no bulk or anything that would cause problems id really like to see this.
Would be good in case you have an ip under attack, you could examine tcpdump and see if there is a pattern in TTL which there usually is with some ddos tools/bots.
Or maybe advanced options for the PF feature that includes something like this?
thanks
Posted: 04 Jan 2008, 11:02
by chirpy
The problem with using tcpdump and examining the protocol at that level is performance overhead. Knowing when to activate such functionality and using it would be tricky and might be better left to the likes of SNORT or, better yet, at the NOC router/firewall level where such traffic analysis is best done.
Posted: 08 Jan 2008, 07:25
by felosi
Yes and I found out that its highly unreliable as well as blocking legit users
I did howver find a real useful match that can be added.
String match
For example last night I had a customer getting hit with a ferocious POST attack. First the bots were posting liek index.php?=dir , etc. So I setup mod_security to block it. Did a good job but logs were so huge.
I had customer change the name of their index and added a string rule like this
iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -d clients.server.ip -m string --algo bm --string "index.php"
And it worked flawlessly.
Again though, probably an advanced feature not useful to most average admins but sure was a lifesaver for me last nght.
Probably no reasoin to add thse advanced rules, csfpre.sh ha always done its job. However if you ever make any docs for csf and handling ddos attacks some things like this would be good to add.