使用 tcpdump 查找字符串

使用 tcpdump 查找字符串

我需要通过尝试在其中找到字符串匹配来阻止某些 TCP 数据包。有没有办法使用 TCPDump 来做到这一点?或者我需要在我的 Linux 服务器上安装 wireshare 吗?

如果我没记错的话,我有一个字符串IPtables可以用来阻止一个字符串。


到目前为止我已经:

tcpdump -nn -vvv host 1.2.3.4

我得到了:

01:05:19.877633 IP (tos 0x0, ttl 247, id 42359, offset 0, flags [none], proto TCP (6), length 40)
    202.100.175.28.25802 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4d11), seq 3965212002, win 0, length 0
01:05:19.877742 IP (tos 0x0, ttl 247, id 42408, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877761 IP (tos 0x0, ttl 247, id 42409, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877774 IP (tos 0x0, ttl 247, id 42410, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877786 IP (tos 0x0, ttl 247, id 42411, offset 0, flags [none], proto TCP (6), length 40)
    161.46.154.90.11937 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x4bab), seq 689933859, win 0, length 0
01:05:19.877790 IP (tos 0x0, ttl 247, id 42501, offset 0, flags [none], proto TCP (6), length 40)
    70.128.88.59.32838 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x0c5b), seq 3965212002, win 0, length 0
01:05:19.877806 IP (tos 0x0, ttl 247, id 42421, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877811 IP (tos 0x0, ttl 247, id 42498, offset 0, flags [none], proto TCP (6), length 40)
    84.202.131.145.51796 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x1325), seq 689933859, win 0, length 0
01:05:19.877824 IP (tos 0x0, ttl 247, id 42423, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877837 IP (tos 0x0, ttl 247, id 42431, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877847 IP (tos 0x0, ttl 247, id 42433, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877856 IP (tos 0x0, ttl 247, id 42437, offset 0, flags [none], proto TCP (6), length 40)
    214.57.59.82.14806 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6a73), seq 689933859, win 0, length 0
01:05:19.877867 IP (tos 0x0, ttl 247, id 42424, offset 0, flags [none], proto TCP (6), length 40)
    80.188.185.57.48208 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6516), seq 3965212002, win 0, length 0
01:05:19.877876 IP (tos 0x0, ttl 247, id 42432, offset 0, flags [none], proto TCP (6), length 40)
    80.188.185.57.48208 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6516), seq 3965212002, win 0, length 0
01:05:19.877885 IP (tos 0x0, ttl 247, id 42440, offset 0, flags [none], proto TCP (6), length 40)
    80.188.185.57.48208 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x6516), seq 3965212002, win 0, length 0
01:05:19.878036 IP (tos 0x0, ttl 247, id 42518, offset 0, flags [none], proto TCP (6), length 40)
    70.128.88.59.32838 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x0c5b), seq 3965212002, win 0, length 0
01:05:19.878060 IP (tos 0x0, ttl 247, id 42530, offset 0, flags [none], proto TCP (6), length 40)
    70.128.88.59.32838 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x0c5b), seq 3965212002, win 0, length 0
01:05:19.878075 IP (tos 0x0, ttl 247, id 42578, offset 0, flags [none], proto TCP (6), length 40)
    32.210.70.16.53792 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x8d66), seq 1934111590, win 0, length 0
01:05:19.878174 IP (tos 0x0, ttl 247, id 42602, offset 0, flags [none], proto TCP (6), length 40)
    113.109.132.187.28017 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x62cf), seq 1934111590, win 0, length 0
01:05:19.878312 IP (tos 0x0, ttl 247, id 42586, offset 0, flags [none], proto TCP (6), length 40)
    32.210.70.16.53792 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0x8d66), seq 1934111590, win 0, length 0
01:05:19.878501 IP (tos 0x0, ttl 247, id 42739, offset 0, flags [none], proto TCP (6), length 40)
    57.244.187.18.62521 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0xdd28), seq 1934111590, win 0, length 0
01:05:19.878527 IP (tos 0x0, ttl 247, id 42742, offset 0, flags [none], proto TCP (6), length 40)^C
    57.244.187.18.62521 > 1.2.3.4.80: Flags [S], cksum 0x0000 (incorrect -> 0xdd28), seq 1934111590, win 0, length 0

所以我这样做:

iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 1.2.3.4 -m ttl --ttl-eq=247 -j DROP

我阻止 DDoS 的方法正确吗?到目前为止,它似乎不起作用。

答案1

我只想澄清一下,阻止任何类型的流量都不需要使用 tcpdump 或 wireshark 之类的流量捕获工具。您需要使用 Linux netfilter 之类的防火墙。

如果你已经知道要阻止的字符串,则可以使用-m stringiptables 中的模块。例如,

sudo iptables -A INPUT -m string --alog bm --string attack_string -j DROP

上述规则将新规则附加到输入链中,以丢弃包含 的attack_string任意位置的数据包。您需要谨慎使用此技术,以避免拒绝合法流量。您最好指定--from--to以获得更准确的匹配。这在 中有详细记录man iptables

答案2

tcpdump 是用于此目的的标准工具之一(即查看数据包以在其中找到字符串)。记住使用标志-s 0来捕获整个数据包。我通常将捕获的数据包写入文件(例如tcpdump -s 0 -w /tmp/tcpdump.out),这样我就可以在闲暇时阅读该文件(tcpdump -r /tmp/tcpdump.out -A | more)。

相关内容