Re: code red attacks and real-time blackhole'ng

["Sean Hunter" <sean () uncarved com>]

On Sat, Sep 08, 2001 at 01:46:56AM +0200, Florian Piekert wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hi,
>
> some time ago I asked if somebody had any idea how to real-time blackhole
> ip-adresses to port 80 with ipchains who try to set off the code red virus
> variants.
>
> my idea was as follows:
>
> #!/bin/bash
> tail -f /var/log/messages | grep -i "codered" | grep -iv proxy | awk '{print $11}' | awk -F : '{print $1}'| 
> ipchains -A input -s i `awk '{print $1}'`/255.255.255.255 -d 0/0 80 -i eth1 -j DENY --protocol tcp
>
> Several problems now occur (for some of you probably trivialities):
>
> 1) the above port 80 blocking makes sense if tcp and udp are blocked or is tcp sufficient?

You should deny by default.  Although http is only over tcp, I would hope that
you would blanket-ban anyone from connecting to you on 80/udp since there isn't
a well-known service for that port.

> 2) when I do a tail -n 1000 instead of the tail -f it ipchains bitches because he gets 1000 (not that many 
> ofcourse) ip adresses at once but only wants _1_ argument, not a list.

I think you want to learn a bit more shell.  What might help is this sort of construct:

CODERED_IPS=`a_commandline_pipe_that_gives_me_a_list_of_ips`

for addr in $CODERED_IPS; do
        echo "Blocking $addr"
        ipchains -A input -s $addr -d 0/0 80 -i eth1 -j DENY --protocol tcp
done

There are other ways to achieve this same type of loop in bash, but this idea
is very useful.  You may also want to consider "sort -n | uniq" at the end of
your pipe, to make sure you avoid duplicates".

Finally, instead of putting those in your INPUT chain, consider adding a
"codered blocking" chain thussly:

ipchains -n block_codered

...

ipchains -A input -j block_codered -d 0/0 80 -i eth1

for addr in $CODERED_IPS; do
        echo "Blocking $addr"
        ipchains -A block_codered -s $addr -j DENY --protocol tcp
done

Now, the cool thing about this approach is that you can easily add blocking IPs
to the end of your codered chain without affecting rules in the main table.
This means you don't have to reload your firewall rules every time you lart
someone.  You also may get a performance benefit because you aren't matching
each packet against the protocol and destination address/port mask once they're
in the blocking chain, only the source address.

> 3) when I do a tail -f nothing happens at all, without the ipchains command no output is generated at all 
> even if new entries in /var/log/messages appear, but if I tail -n 1000 /var/log/messages and use the above 
> pipes, I get a neat list of IP addresses...

You could do "tail -1000f /var/log/messages" and get the best of both worlds.
Seriously, I think you should read the manpages and figure this one out for
yourself.  

Good luck!

Sean Hunter

P.S.  I apologise if the ipchains syntax is wrong, but all my firewalls use
iptables so I'm a bit more familiar with that.

Attachment: _bin
Description: