From owner-freebsd-net@FreeBSD.ORG Thu Sep 14 13:28:15 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D34E16A407 for ; Thu, 14 Sep 2006 13:28:15 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from freebee.digiware.nl (www.tegenbosch28.nl [217.21.251.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 929B743D70 for ; Thu, 14 Sep 2006 13:28:10 +0000 (GMT) (envelope-from wjw@digiware.nl) Received: from [212.61.27.67] (opteron.digiware.nl [212.61.27.67]) by freebee.digiware.nl (Postfix) with ESMTP id 1413B2AAA0 for ; Thu, 14 Sep 2006 15:28:09 +0200 (CEST) Message-ID: <4509592A.3040602@digiware.nl> Date: Thu, 14 Sep 2006 15:29:14 +0200 From: Willem Jan Withagen User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: blocking a string in a packet using ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 13:28:15 -0000 [ I guess I haven't been paying too much attention during ipwf class :( And I got the suggestion to try FreeBSD-net@ instead of security. But I'm not subscribed to this list, so please Cc: me. ] Hi, perhaps somebody could give some pointers. I received a call from a customer this morning that all of his websites were no longer on line. So After some resetting and more I turnout that there was a serious overload on his server. Over 500 clients connected. (norm is 50) and they were all trying to get this file 777.gif. (Which is not on any of the sites). After reducing the max servers to a 100, the sites are now more or less up. Then I created a swatch script to actually block the offenders thru ipwl. (Which was already used to do most of the protection). It is already a solution, because they keep trying it multiple times. But it turns out that the generic name of the server is in a new virus on a list of server to get a file from. And it's on high place in that list. So I can confirm that there are at least 35.000 pc's infected with this Bagle.FY virus. And these are now all in the block list in IPFW. I contacted the maintainer for the generic FQDN name of the server to reset the IP-number for that name to 127.0.0.1 but that'll take another 24 hours to propagate thru the whole of the internet. Now I'm pretty shure that ipfw does not stretch indefinitely to contain perhaps something like 100.000 ip-numbers (would be a nice test. :) ) So I'd like to see if there is something to do with divert and some matching on a string in the packet to drop those packets. That would prevent me from having humongous set of rules in ipfw. Or any other suggestion that would make sense. Thanx, --WjW