Date: Thu, 14 Sep 2006 14:04:23 -0700 From: Julian Elischer <julian@elischer.org> To: Willem Jan Withagen <wjw@digiware.nl> Cc: freebsd-net@freebsd.org Subject: Re: blocking a string in a packet using ipfw Message-ID: <4509C3D7.4060302@elischer.org> In-Reply-To: <4509592A.3040602@digiware.nl> References: <4509592A.3040602@digiware.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Willem Jan Withagen wrote: > [ I guess I haven't been paying too much attention during ipwf class :( > And I got the suggestion to try FreeBSD-net@ instead of security. But > I'm not subscribed to this list, so please Cc: me. > ] > > Hi, > > perhaps somebody could give some pointers. > > I received a call from a customer this morning that all of his > websites were > no longer on line. So After some resetting and more I turnout that > there was a > serious overload on his server. Over 500 clients connected. (norm is > 50) and > they were all trying to get this file 777.gif. (Which is not on any of > the sites). > > After reducing the max servers to a 100, the sites are now more or > less up. > Then I created a swatch script to actually block the offenders thru ipwl. > (Which was already used to do most of the protection). > It is already a solution, because they keep trying it multiple times. > > > But it turns out that the generic name of the server is in a new virus > on a > list of server to get a file from. And it's on high place in that list. > So I can confirm that there are at least 35.000 pc's infected with this > Bagle.FY virus. And these are now all in the block list in IPFW. I hope you are using an ipfw table to do this.. > > I contacted the maintainer for the generic FQDN name of the server to > reset > the IP-number for that name to 127.0.0.1 but that'll take another 24 > hours to > propagate thru the whole of the internet. > > Now I'm pretty shure that ipfw does not stretch indefinitely to contain > perhaps something like 100.000 ip-numbers (would be a nice test. :) ) > So I'd > like to see if there is something to do with divert and some matching > on a > string in the packet to drop those packets. > That would prevent me from having humongous set of rules in ipfw. use ipfw tables one table lookup would do the job that's one rule > > Or any other suggestion that would make sense. > > Thanx, > --WjW > > > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4509C3D7.4060302>