Text only | Text with Images

Valhalla Legends Archive

Programming => General Programming => Topic started by: UserLoser. on October 12, 2004, 05:34 PM

Title: Packet filter
Post by: UserLoser. on October 12, 2004, 05:34 PM
How would I go about writing a packet filter?  I'm not sure how to monitor everything that happens on every incoming packet to your system.  I've been looking at iphlp things on msdn, along with disassembling this application I got the other day which does everything I need for filtering, but doesn't do anything automatic like I'm looking for.  Basically, what I want to do is write my own filtering application which'll automatically filter incoming packets from X ipaddress after it sends TCP packets with SYN flag set so many times in X amount of time (resistance against SYN floods).
Title: Re: Packet filter
Post by: iago on October 12, 2004, 05:39 PM
I use the iptables firewall/routing software on Linux to do that.  It's a kernel-mode firewall, and it's really flexible.  Not quite as flexible as I'd like, however, because it's layer 3 (can't analyze the actual data), but it's pretty nice.  And yes, you can do rate limiting.

Another option is a hardware IPS system.  We use Tipping Point at work, which also has rate limiting functionality.

How to do it on Windows for free, or for yourself, I'm not sure.
Title: Re: Packet filter
Post by: UserLoser. on October 12, 2004, 06:56 PM
I'm going to use WinPCap (http://winpcap.polito.it/).  Now it's just a matter of doing the filtering
Title: Re: Packet filter
Post by: Adron on October 13, 2004, 02:45 AM
Quote from: iago on October 12, 2004, 05:39 PM
I use the iptables firewall/routing software on Linux to do that.  It's a kernel-mode firewall, and it's really flexible.  Not quite as flexible as I'd like, however, because it's layer 3 (can't analyze the actual data), but it's pretty nice.  And yes, you can do rate limiting.

Iptables can't analyze actual data? Isn't that just that you don't have the right condition module?
Title: Re: Packet filter
Post by: iago on October 13, 2004, 11:55 AM
Quote from: Adron on October 13, 2004, 02:45 AM
Quote from: iago on October 12, 2004, 05:39 PM
I use the iptables firewall/routing software on Linux to do that.  It's a kernel-mode firewall, and it's really flexible.  Not quite as flexible as I'd like, however, because it's layer 3 (can't analyze the actual data), but it's pretty nice.  And yes, you can do rate limiting.

Iptables can't analyze actual data? Isn't that just that you don't have the right condition module?

That's possible.  I read a fairly extensive tutorial on it, and it never went past ip and tcp stuff. 
Title: Re: Packet filter
Post by: iago on October 21, 2004, 03:31 PM
http://uqconnect.net/~zzoklan/software/#net_tools

See SynAlert.  It's slightly different (alert for incoming connections), but it's kinda what you're looking for.
Text only | Text with Images