0

I want to ask how do block spefic packet payload?

14:46:35.837759 IP 145.92.16.14.27017 > x.27030: UDP, length 25
        0x0000:  4500 0035 44a4 0000 ee11 53ae 915c 100e  E..5D.....S..\..
        0x0010:  0587 8d74 6987 6996 0021 0000 7a78 4646  ...ti.i..!..zxFF
        0x0020:  ffff ff55 4ba1 d522 0043 6f75 6c64 206e  ...UK..".Could.n
        0x0030:  6f74 206f 70                             ot.op
14:46:35.837775 IP 120.79.235.173.27015 > x.27015: UDP, length 25
        0x0000:  4500 0035 44a1 0000 ee11 911e 784f ebad  E..5D.......xO..
        0x0010:  0587 8d74 6987 6996 0021 0000 7a78 4646  ...ti.i..!..zxFF
        0x0020:  ffff ff55 4ba1 d522 0043 6f75 6c64 206e  ...UK..".Could.n
        0x0030:  6f74 206f 70                             ot.op

It is Possible to block attack by blocking hex-string?

kasperd
  • 29,894
  • 16
  • 72
  • 122
user3599148
  • 1
  • 1
  • 1
    Blocking a packet with iptables is not going to magically give you back the link-time already used to send the packet to you. So all you can aim for is to process the packet as fast as possible. Handling a UDP packet targeted at a closed port is already pretty fast, so you are more likely to slow the processing down by using iptables. – kasperd Aug 16 '15 at 14:13
  • Thanks for replay, iptables --append INPUT --match string --algo kmp --hex-string '|ff ff ff 55 4b a1 d5 22 00 43 6f 75 6c 64 20 6e|' --jump DROP Will that work? – user3599148 Aug 16 '15 at 14:28
  • 1
    Be careful. If you keep receiving such packets, but they don't harm the machine itself in any way, adding payload inspection might actually increase the load of your machine. As @lain notes, you won't free the line this way. Your command should work, but it can probably be rather easily evaded by the attacker. Adding multiple inspections like this will have even bigger performance attack. – Fox Aug 16 '15 at 16:24

1 Answers1

2

It is Possible to block attack by blocking hex-string?

No, not really. With a DDOS attack, by the time a packet gets to your machine for inspection it has done it's job - viz it has used up a portion of your network resource.

To solve a DDOS problem, you need to elicit some help from upstream.

user9517
  • 114,104
  • 20
  • 206
  • 289