Hi guy’s Im building a firewall for a cluster of webservers using a routerboard.
I was building my list of rules when I had a thought. In the event I need to block something specific like, during a DDOS, what would be the most efficient way (cpu wise) to block specific traffic.
For example; If i wanted to block all packets with the following string “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
Should I just use a standard filter rule or should I tag connections/packets first in the mangle and then have a filter rule drop those?
Ok I have implimented the filter as suggested, with connections getting marked and then dropped in the firewall.
It is blocking a large number of the botnet “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)” apache requests, however im still getting some thru. I suspect this is because the packet content is getting split in two or in some other way not meeting the criteria of the packet content matcher.
Does anybody have any suggestions for creating a layer 7 identifyer for this knd of packet content?
As a backstory, this is the kind of crap im trying to block from my whole rack of servers without having to modify apache;
