使用 iptables 的 hex string 阻擋攻擊

使用 iptables 的 hex string 阻擋攻擊

主機上發現 CPU 負載不斷升高，原來是 MySQL CPU 很高

看了一下 MySQL 的 show processlist 都是這樣 ↓

SELECT * FROM xxx WHERE xxx = 'UR1 /**/'/**/OR/**/1/**/GROUP/**/

再查 access_log 是一直被試了 ↓ (IP 還一直變)

/index.php?menu=modeltable&pro_kindc=UR1+%2F%2A%2A%2F%27%2F%2A%2A%2FOR%2F%2A%2A%2F1%2F%2A%2A%2FGROUP%2F%2A%2A%2FBY%2F%2A%2A%2FCONCAT%280x78664b41%2C%28SELECT%2F%2A%2A%2FMID%28IFNULL%28CAST%28COLUMN_NAME%2F%2A%2A%2FAS%2F%2A%2A%2FNCHAR%29%2C0x20%29%2C1%2C54%29%2F%2A%2A%2FFROM%2F%2A%2A%2FINFORMATION_SCHEMA.COLUMNS%2F%2A%2A%2FWHERE%2F%2A%2A%2FTABLE_SCHEMA%3D0x74657374%2F%2A%2A%2FAND%2F%2A%2A%2FTABLE_NAME%3D0x316563735f636f6d6d656e74%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x257061737325%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x25696425%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x25494425%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x256c61737425%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x256461746525%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x2574696d6525%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x256f7264657225%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x257669657725%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x2573656e6425%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x257479706525%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x25737461727425%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x257261746525%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x256175746f25%29%2F%2A%2A%2FAND%2F%2A%2A%2FCOLUMN_NAME%2F%2A%2A%2FNOT%2F%2A%2A%2FLIKE%2F%2A%2A%2F%280x25697025%29%2F%2A%2A%2FLIMIT%2F%2A%2A%2F1%29%2C0x7a615352%2CFLOOR%28RAND%280%29%2A2%29%29%2F%2A%2A%2FHAVING%2F%2A%2A%2FMIN%280%29%23--%2F%2A%2A%2F-

以上連結可以拿到 url decode 可轉換成稍為看得懂的語言 (是一大串 MySQL 語法)

一方面網站又沒有過濾參數，導致資料庫一直吃，CPU 一直居高不下

有方法可以解決

可以土法練鋼的方法，透過 MySQL 的 show processlist 找出來是相關的 id，然後再把它 kill 掉

但終究是封包已經進來應用層了，是不能完全讓 CPU 降低的

這時可以用 iptables 的 hex string

先用 ↓ 查看封包

tcpdump dst port 80 -s0 -X

樣子會是這 ↓

0x0020: 5010 a564 82c2 0000 4745 5420 2f69 6e64 P..d....GET./ind
0x0030: 6578 2e70 6870 3f6d 656e 753d 6d6f 6465 ex.php?menu=mode
0x0040: 6c74 6162 6c65 2670 726f 5f6b 696e 6463 ltable&pro_kindc
0x0050: 3d55 5231 2b25 3246 2532 4125 3241 2532 =UR1+%2F%2A%2A%2
(省略)

再取第 2 到 4 行的 hex 碼 (因為正常人不可能使用這些字串，但如果保險點可以取多行一點)

6578 2e70 6870 3f6d 656e 753d 6d6f 6465 
6c74 6162 6c65 2670 726f 5f6b 696e 6463 
3d55 5231 2b25 3246 2532 4125 3241 2532

縮成 ↓

65782e7068703f6d656e753d6d6f64656c7461626c652670726f5f6b696e64633d5552312b2532462532412532412532

就可以餵給 iptables 去阻擋了

iptables -A INPUT -p tcp --dport 80 -m string --algo bm --hex-string "|65782e7068703f6d656e753d6d6f64656c7461626c652670726f5f6b696e64633d5552312b2532462532412532412532|" -j LOG --log-prefix "Bad Packet:"
iptables -A INPUT -p tcp --dport 80 -m string --algo bm --hex-string "|65782e7068703f6d656e753d6d6f64656c7461626c652670726f5f6b696e64633d5552312b2532462532412532412532|" -j DROP