by using
tcpdump -nlASX -s 0 -vvv port 80 I get something like:
14:58:55.121160 IP (tos 0x0, ttl 64, id 49764, offset 0, flags [DF], proto TCP (6), length 1480)
206.72.206.58.http > 2.187.196.7.4624: Flags [.], cksum 0x6900 (incorrect -> 0xcd18), seq 1672149449:1672150889, ack 4202197968, win 15340, length 1440
0x0000: 4500 05c8 c264 4000 4006 0f86 ce48 ce3a E....d@
[email protected].:
0x0010: 02bb c407 0050 1210 63aa f9c9 fa78 73d0 .....P..c....xs.
0x0020: 5010 3bec 6900 0000 0f29 95cc fac4 2854 P.;.i....)....(T
0x0030: c0e7 3384 e89a 74fa 8d8c a069 f93f fc40 ..3...t....i.?.@
0x0040: 1561 af61 1cf3 0d9c 3460 aa23 0b54 aac0 .a.a....4`.#.T..
0x0050: 5090 ced1 b7bf 8857 c476 e1c0 8814 81ed P......W.v......
0x0060: 9e85 87e8 d693 b637 bd3a 56ef c5fa 77e8 .......7.:V...w.
0x0070: 3035 743a 283e 89c7 ced8 c7c1 cff9 6ca3 05t:(>........l.
0x0080: 5f3f 0162 ebf1 419e c410 7180 7cd0 29e1 _?.b..A...q.|.).
0x0090: fec9 c708 0f01 9b2f a96b 20fe b95a 31cf ......./.k...Z1.
0x00a0: 8166 3612 bac9 4e8d 7087 4974 0063 1270 .f6...N.p.It.c.p
What do I pull to use IPTables to block via string. Or is there a better way to block attacks that have something in common?
Question is:
Can I pick any piece from that IP packet and call it a string?
iptables -A INPUT -m string --alog bm --string attack_string -j DROP
In other words:
In some cases I can ban with TTL=xxx and use that should an attack have the same TTL. Sure it will block some legit packets but if it means keeping the box up it works till the attack goes away but I would like to LEARN how to FIND other common things in a packet to block with IPTables