blocking UDP packet

amoeba · #1 (**permalink**) 03-30-2009

I want to deny a particular malicious UDP packet. I can readily identify this packet from the rest by looking at the data section, where data offset 2 is 0xaa, data[5] is 0xbb, etc. Are there any tools or code samples that can do this?

Basically, instead of seeing the packet in the following tcpdump, I want to block it. I started to write a proxy but realized I would need to keep sessions and that's a nightmare. Is there an easier way to do this? The firewalls I've seen only block based on port, not on data payload.

tcpdump -i eth1 udp[2:1] = 0xaa and udp[5:2] = 0xbbcc

tomboy123 · #2 (**permalink**) 04-05-2009

Hey, from my understanding of how TCPDump and IPTables work, below is the path.

Internet > NIC > TCPDump > IPTables > Local System

Thus, blocking packets with IPTables will not stop them from showing in TCPDump.

Hope this helps!

sysgate · #3 (**permalink**) 04-06-2009

Correct, you will need to block the UDP traffic before it hits the local NIC, preferably via the nearest router or some IPS, if available.

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
URL blocking with iptables	shrinuvas	Debian	1	03-06-2009 03:58 AM
Non-blocking pipe	cdlaforc	Shell Programming and Scripting	4	02-10-2009 10:52 AM
end-end packet delay?	yogesh_powar	IP Networking	4	12-13-2005 01:21 PM
Getting an ACK for RAW SYN packet	zampya	High Level Programming	17	05-24-2004 09:15 PM
Seeing IP packet	manjunath	IP Networking	4	09-15-2002 11:46 PM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: