Join Log in
Score:0
ph3ro avatar Server

Iptables Drop hex string udp

ro flag
ph3ro

I am facing some dos attacks on my server. These are some sample packets from the pcap file

0000   02 00 17 01 c1 5d 00 00 17 12 37 50 08 00 45 28   .....]....7P..E(
0010   01 6a da f9 40 00 32 11 c5 b2 9b 5e 9c e2 64 0a   [email protected]....^..d.
0020   0a 64 c2 6b 2b 03 01 56 d9 5b 48 54 54 50 2f 31   .d.k+..V.[HTTP/1
0030   2e 31 20 32 30 30 20 4f 4b 0d 0a 45 58 54 3a 20   .1 200 OK..EXT: 
0040   0d 0a 44 41 54 45 3a 20 4d 6f 6e 2c 20 32 31 20   ..DATE: Mon, 21 
0050   4d 61 72 20 32 30 32 32 20 31 38 3a 33 38 3a 31   Mar 2022 18:38:1
0060   31 20 47 4d 54 0d 0a 43 41 43 48 45 2d 43 4f 4e   1 GMT..CACHE-CON
0070   54 52 4f 4c 3a 20 6d 61 78 2d 61 67 65 3d 37 32   TROL: max-age=72
0080   30 30 0d 0a 53 54 3a 20 75 70 6e 70 3a 72 6f 6f   00..ST: upnp:roo
0090   74 64 65 76 69 63 65 0d 0a 53 45 52 56 45 52 3a   tdevice..SERVER:
00a0   20 57 69 6e 64 6f 77 73 2f 31 30 2e 30 20 55 50    Windows/10.0 UP
00b0   6e 50 2f 31 2e 30 20 45 6d 62 79 53 65 72 76 65   nP/1.0 EmbyServe
00c0   72 2f 34 2e 35 0d 0a 55 53 4e 3a 20 75 75 69 64   r/4.5..USN: uuid
00d0   3a 64 62 38 36 63 30 36 62 2d 38 62 30 38 2d 34   :db86c06b-8b08-4
00e0   32 66 64 2d 62 63 65 64 2d 38 39 36 30 64 31 66   2fd-bced-8960d1f
00f0   65 34 30 62 39 3a 3a 75 70 6e 70 3a 72 6f 6f 74   e40b9::upnp:root
0100   64 65 76 69 63 65 0d 0a 43 6f 6e 74 65 6e 74 2d   device..Content-
0110   4c 65 6e 67 74 68 3a 20 30 0d 0a 4c 4f 43 41 54   Length: 0..LOCAT
0120   49 4f 4e 3a 20 68 74 74 70 3a 2f 2f 31 32 37 2e   ION: http://127.
0130   30 2e 30 2e 31 3a 38 30 39 36 2f 64 6c 6e 61 2f   0.0.1:8096/dlna/
0140   64 62 38 36 63 30 36 62 2d 38 62 30 38 2d 34 32   db86c06b-8b08-42
0150   66 64 2d 62 63 65 64 2d 38 39 36 30 64 31 66 65   fd-bced-8960d1fe
0160   34 30 62 39 2f 64 65 73 63 72 69 70 74 69 6f 6e   40b9/description
0170   2e 78 6d 6c 0d 0a 0d 0a                           .xml....

0000   02 00 17 01 c1 5d 00 00 17 12 37 50 08 00 45 28   .....]....7P..E(
0010   01 a1 17 86 40 00 2f 11 10 e5 26 41 8d 0a 64 0a   ....@./...&A..d.
0020   0a 64 d8 cd 2b 03 01 8d 82 27 48 54 54 50 2f 31   .d..+....'HTTP/1
0030   2e 31 20 32 30 30 20 4f 4b 0d 0a 45 58 54 3a 20   .1 200 OK..EXT: 
0040   0d 0a 44 41 54 45 3a 20 4d 6f 6e 2c 20 32 31 20   ..DATE: Mon, 21 
0050   4d 61 72 20 32 30 32 32 20 31 38 3a 33 38 3a 31   Mar 2022 18:38:1
0060   31 20 47 4d 54 0d 0a 43 41 43 48 45 2d 43 4f 4e   1 GMT..CACHE-CON
0070   54 52 4f 4c 3a 20 6d 61 78 2d 61 67 65 3d 37 32   TROL: max-age=72
0080   30 30 0d 0a 53 54 3a 20 75 72 6e 3a 73 63 68 65   00..ST: urn:sche
0090   6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 64 65 76   mas-upnp-org:dev
00a0   69 63 65 3a 4d 65 64 69 61 53 65 72 76 65 72 3a   ice:MediaServer:
00b0   31 0d 0a 53 45 52 56 45 52 3a 20 57 69 6e 64 6f   1..SERVER: Windo
00c0   77 73 2f 31 30 2e 30 20 55 50 6e 50 2f 31 2e 30   ws/10.0 UPnP/1.0
00d0   20 45 6d 62 79 53 65 72 76 65 72 2f 34 2e 35 0d    EmbyServer/4.5.
00e0   0a 55 53 4e 3a 20 75 75 69 64 3a 37 30 66 64 38   .USN: uuid:70fd8
00f0   65 36 33 2d 39 33 36 35 2d 34 61 33 35 2d 38 33   e63-9365-4a35-83
0100   33 61 2d 65 64 36 36 39 66 34 62 32 34 30 34 3a   3a-ed669f4b2404:
0110   3a 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e   :urn:schemas-upn
0120   70 2d 6f 72 67 3a 64 65 76 69 63 65 3a 4d 65 64   p-org:device:Med
0130   69 61 53 65 72 76 65 72 3a 31 0d 0a 43 6f 6e 74   iaServer:1..Cont
0140   65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 4c   ent-Length: 0..L
0150   4f 43 41 54 49 4f 4e 3a 20 68 74 74 70 3a 2f 2f   OCATION: http://
0160   31 37 32 2e 33 31 2e 34 39 2e 32 30 3a 38 30 39   172.31.49.20:809
0170   36 2f 64 6c 6e 61 2f 37 30 66 64 38 65 36 33 2d   6/dlna/70fd8e63-
0180   39 33 36 35 2d 34 61 33 35 2d 38 33 33 61 2d 65   9365-4a35-833a-e
0190   64 36 36 39 66 34 62 32 34 30 34 2f 64 65 73 63   d669f4b2404/desc
01a0   72 69 70 74 69 6f 6e 2e 78 6d 6c 0d 0a 0d 0a      ription.xml....

0000   02 00 17 01 c1 5d 00 00 17 12 37 50 08 00 45 28   .....]....7P..E(
0010   01 73 58 a1 40 00 31 11 4a ff 9b 5e 9a e5 64 0a   [email protected]..^..d.
0020   0a 64 75 a1 2b 03 01 5f 95 9e 48 54 54 50 2f 31   .du.+.._..HTTP/1
0030   2e 31 20 32 30 30 20 4f 4b 0d 0a 45 58 54 3a 20   .1 200 OK..EXT: 
0040   0d 0a 44 41 54 45 3a 20 4d 6f 6e 2c 20 32 31 20   ..DATE: Mon, 21 
0050   4d 61 72 20 32 30 32 32 20 31 38 3a 33 38 3a 31   Mar 2022 18:38:1
0060   31 20 47 4d 54 0d 0a 43 41 43 48 45 2d 43 4f 4e   1 GMT..CACHE-CON
0070   54 52 4f 4c 3a 20 6d 61 78 2d 61 67 65 3d 37 32   TROL: max-age=72
0080   30 30 0d 0a 53 54 3a 20 75 75 69 64 3a 39 30 31   00..ST: uuid:901
0090   36 32 36 35 35 2d 37 38 66 66 2d 34 39 34 65 2d   62655-78ff-494e-
00a0   61 35 36 34 2d 33 64 33 63 64 39 39 62 34 36 63   a564-3d3cd99b46c
00b0   37 0d 0a 53 45 52 56 45 52 3a 20 57 69 6e 64 6f   7..SERVER: Windo
00c0   77 73 2f 31 30 2e 30 20 55 50 6e 50 2f 31 2e 30   ws/10.0 UPnP/1.0
00d0   20 45 6d 62 79 53 65 72 76 65 72 2f 34 2e 35 0d    EmbyServer/4.5.
00e0   0a 55 53 4e 3a 20 75 75 69 64 3a 39 30 31 36 32   .USN: uuid:90162
00f0   36 35 35 2d 37 38 66 66 2d 34 39 34 65 2d 61 35   655-78ff-494e-a5
0100   36 34 2d 33 64 33 63 64 39 39 62 34 36 63 37 0d   64-3d3cd99b46c7.
0110   0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a   .Content-Length:
0120   20 30 0d 0a 4c 4f 43 41 54 49 4f 4e 3a 20 68 74    0..LOCATION: ht
0130   74 70 3a 2f 2f 31 32 37 2e 30 2e 30 2e 31 3a 38   tp://127.0.0.1:8
0140   30 39 36 2f 64 6c 6e 61 2f 39 30 31 36 32 36 35   096/dlna/9016265
0150   35 2d 37 38 66 66 2d 34 39 34 65 2d 61 35 36 34   5-78ff-494e-a564
0160   2d 33 64 33 63 64 39 39 62 34 36 63 37 2f 64 65   -3d3cd99b46c7/de
0170   73 63 72 69 70 74 69 6f 6e 2e 78 6d 6c 0d 0a 0d   scription.xml...
0180   0a                                                .

I tried using the command

iptables -t raw -A PREROUTING -i enp0s3 -p udp --dport 11011 -m string --hex-string '|485454502f31|' --algo bm -j DROP

But it was not working. Can anyone please help me on this.

24
0 + 0
Zareh Kasparian avatar
us flag
Zareh Kasparian
do you have some other normal traffic on port 11011?
0
Reply
ph3ro avatar
ro flag
ph3ro
@ZarehKasparian Yes..
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.