Using tcpdump to find strings

linux networking iptables wireshark tcpdump
10,134

I want just to clarify that blocking any type of traffic does not require using traffic capturing tool like tcpdump or wireshark. You need to use a firewall like Linux netfilter.

If you already know the string you want to block, you can use the -m string module in iptables. For example,

sudo iptables -A INPUT -m string --alog bm --string attack_string -j DROP

The above rule appends a new rule to the input chain to drop packets containing attack_string in any position. You need to be careful about using this technique to avoid denying legitimate traffic. You may preferably specify --from and --to for more accurate matching. This is well documented in man iptables.

Share:
10,134

Related videos on Youtube

Jake Thomas
Author by

Jake Thomas

Updated on September 18, 2022

Comments

  • Jake Thomas
    Jake Thomas over 1 year

    I need to block certain TCP packets by trying to find a string match in and on them. Is there a way to do that with TCPDump? Or do I need wireshare install on my linux server?

    One I have the string IPtables can be used to block a string If I remember correctly.

    So far I have:

    tcpdump -nn -vvv host 1.2.3.4

    and I got:

    01:05:19.877633 IP (tos 0x0, ttl 247, id 42359, offset 0, flags [none], proto TCP (6), length 40)
    202.100.175.28.25802 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4d11), seq 3965212002, win 0, length 0
01:05:19.877742 IP (tos 0x0, ttl 247, id 42408, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877761 IP (tos 0x0, ttl 247, id 42409, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877774 IP (tos 0x0, ttl 247, id 42410, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877786 IP (tos 0x0, ttl 247, id 42411, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877790 IP (tos 0x0, ttl 247, id 42501, offset 0, flags [none], proto TCP (6), length 40)
    70.128.88.59.32838 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x0c5b), seq 3965212002, win 0, length 0
01:05:19.877806 IP (tos 0x0, ttl 247, id 42421, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877811 IP (tos 0x0, ttl 247, id 42498, offset 0, flags [none], proto TCP (6), length 40)
    84.202.131.145.51796 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x1325), seq 689933859, win 0, length 0
01:05:19.877824 IP (tos 0x0, ttl 247, id 42423, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877837 IP (tos 0x0, ttl 247, id 42431, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877847 IP (tos 0x0, ttl 247, id 42433, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877856 IP (tos 0x0, ttl 247, id 42437, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877867 IP (tos 0x0, ttl 247, id 42424, offset 0, flags [none], proto TCP (6), length 40)
    80.188.185.57.48208 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6516), seq 3965212002, win 0, length 0
01:05:19.877876 IP (tos 0x0, ttl 247, id 42432, offset 0, flags [none], proto TCP (6), length 40)
    80.188.185.57.48208 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6516), seq 3965212002, win 0, length 0
01:05:19.877885 IP (tos 0x0, ttl 247, id 42440, offset 0, flags [none], proto TCP (6), length 40)
    80.188.185.57.48208 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6516), seq 3965212002, win 0, length 0
01:05:19.878036 IP (tos 0x0, ttl 247, id 42518, offset 0, flags [none], proto TCP (6), length 40)
    70.128.88.59.32838 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x0c5b), seq 3965212002, win 0, length 0
01:05:19.878060 IP (tos 0x0, ttl 247, id 42530, offset 0, flags [none], proto TCP (6), length 40)
    70.128.88.59.32838 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x0c5b), seq 3965212002, win 0, length 0
01:05:19.878075 IP (tos 0x0, ttl 247, id 42578, offset 0, flags [none], proto TCP (6), length 40)
    32.210.70.16.53792 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x8d66), seq 1934111590, win 0, length 0
01:05:19.878174 IP (tos 0x0, ttl 247, id 42602, offset 0, flags [none], proto TCP (6), length 40)
    113.109.132.187.28017 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x62cf), seq 1934111590, win 0, length 0
01:05:19.878312 IP (tos 0x0, ttl 247, id 42586, offset 0, flags [none], proto TCP (6), length 40)
    32.210.70.16.53792 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x8d66), seq 1934111590, win 0, length 0
01:05:19.878501 IP (tos 0x0, ttl 247, id 42739, offset 0, flags [none], proto TCP (6), length 40)
    57.244.187.18.62521 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0xdd28), seq 1934111590, win 0, length 0
01:05:19.878527 IP (tos 0x0, ttl 247, id 42742, offset 0, flags [none], proto TCP (6), length 40)^C
    57.244.187.18.62521 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0xdd28), seq 1934111590, win 0, length 0

    so I do this:

    iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 1.2.3.4 -m ttl --ttl-eq=247 -j DROP

    Am I on the right track to block a DDoS? So far it does not seem to be working.

    • jwbensley
      jwbensley about 11 years
      You said you wanted to block based on a string, but you haven't used a string in you question example? tcpdump will capture packets based on the filter options you provide it. If you want to filter packets by looking for a specific string consider using ngrep, it's much better than tcpdump for this. If you want to create an iptables rules that blocks by a string you need to be more specific. What string, a string within a packet? In the example you have given you are blocking by destination IP. What are you trying to achieve here? If it is DDoS mitigation then yes you can block by a...
    • jwbensley
      jwbensley about 11 years
      string. Change your tcpdump command to something like tcpdump -nlASX -s 0 -vvv port 80 and assuming these are HTTP requests you could block the string for the HTTP requests. You would need to find something unique about these attacks, a pattern to match, to give you something to filter and block by.
    • David Schwartz
      David Schwartz about 11 years
      Whether or not you're on the right track to block a DDoS depends on how the DDoS is hurting you. For example, if it's hurting you by saturating your inbound bandwidth and this filter is on your side of that link, you're totally on the wrong track because the attack packets have already consumed your inbound bandwidth before you drop them!
  • EEAA
    EEAA about 11 years
    Tcpdump is a standard tool for blocking packets? I think not.
  • Jenny D
    Jenny D about 11 years
    No, but for reading the packet to find the strings that will then be used in iptables to block the packet. Which was the actual question being asked.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

tcpdump read both ipv4 and ipv6 packets from pcap
Check for packets MARKed by iptables
How to use Linux to capture packets on eth0 and send everything to eth1?
What program sent which packet to the network
Iptables FORWARD chain traffic not seen by tcpdump
How to trace networking activity of a command?
What does a sequence of retransmissions with PSH,ACK flags mean (and a spurious retransmission back)?
TCP Server sends [ACK] followed by [PSH,ACK]
How to make all outgoing RST drop
Allow ssh incoming/outgoing and blocking all outgoing besides specific ports