From owner-freebsd-net@FreeBSD.ORG Thu Sep 14 21:04:26 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CB5516A417 for ; Thu, 14 Sep 2006 21:04:26 +0000 (UTC) (envelope-from prvs=julian=4054a8e64@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D23543D55 for ; Thu, 14 Sep 2006 21:04:23 +0000 (GMT) (envelope-from prvs=julian=4054a8e64@elischer.org) Received: from unknown (HELO [192.168.2.6]) ([10.251.60.95]) by a50.ironport.com with ESMTP; 14 Sep 2006 14:04:22 -0700 Message-ID: <4509C3D7.4060302@elischer.org> Date: Thu, 14 Sep 2006 14:04:23 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Willem Jan Withagen References: <4509592A.3040602@digiware.nl> In-Reply-To: <4509592A.3040602@digiware.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: blocking a string in a packet using ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 21:04:26 -0000 Willem Jan Withagen wrote: > [ I guess I haven't been paying too much attention during ipwf class :( > And I got the suggestion to try FreeBSD-net@ instead of security. But > I'm not subscribed to this list, so please Cc: me. > ] > > Hi, > > perhaps somebody could give some pointers. > > I received a call from a customer this morning that all of his > websites were > no longer on line. So After some resetting and more I turnout that > there was a > serious overload on his server. Over 500 clients connected. (norm is > 50) and > they were all trying to get this file 777.gif. (Which is not on any of > the sites). > > After reducing the max servers to a 100, the sites are now more or > less up. > Then I created a swatch script to actually block the offenders thru ipwl. > (Which was already used to do most of the protection). > It is already a solution, because they keep trying it multiple times. > > > But it turns out that the generic name of the server is in a new virus > on a > list of server to get a file from. And it's on high place in that list. > So I can confirm that there are at least 35.000 pc's infected with this > Bagle.FY virus. And these are now all in the block list in IPFW. I hope you are using an ipfw table to do this.. > > I contacted the maintainer for the generic FQDN name of the server to > reset > the IP-number for that name to 127.0.0.1 but that'll take another 24 > hours to > propagate thru the whole of the internet. > > Now I'm pretty shure that ipfw does not stretch indefinitely to contain > perhaps something like 100.000 ip-numbers (would be a nice test. :) ) > So I'd > like to see if there is something to do with divert and some matching > on a > string in the packet to drop those packets. > That would prevent me from having humongous set of rules in ipfw. use ipfw tables one table lookup would do the job that's one rule > > Or any other suggestion that would make sense. > > Thanx, > --WjW > > > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"