Valhalla Legends Forums Archive | General Programming | Packet filter

AuthorMessageTime
UserLoser.
How would I go about writing a packet filter?  I'm not sure how to monitor everything that happens on every incoming packet to your system.  I've been looking at iphlp things on msdn, along with disassembling this application I got the other day which does everything I need for filtering, but doesn't do anything automatic like I'm looking for.  Basically, what I want to do is write my own filtering application which'll automatically filter incoming packets from X ipaddress after it sends TCP packets with SYN flag set so many times in X amount of time (resistance against SYN floods).
October 12, 2004, 10:34 PM
iago
I use the iptables firewall/routing software on Linux to do that.  It's a kernel-mode firewall, and it's really flexible.  Not quite as flexible as I'd like, however, because it's layer 3 (can't analyze the actual data), but it's pretty nice.  And yes, you can do rate limiting.

Another option is a hardware IPS system.  We use Tipping Point at work, which also has rate limiting functionality.

How to do it on Windows for free, or for yourself, I'm not sure.
October 12, 2004, 10:39 PM
UserLoser.
I'm going to use WinPCap.  Now it's just a matter of doing the filtering
October 12, 2004, 11:56 PM
Adron
[quote author=iago link=topic=9122.msg84128#msg84128 date=1097620776]
I use the iptables firewall/routing software on Linux to do that.  It's a kernel-mode firewall, and it's really flexible.  Not quite as flexible as I'd like, however, because it's layer 3 (can't analyze the actual data), but it's pretty nice.  And yes, you can do rate limiting.
[/quote]

Iptables can't analyze actual data? Isn't that just that you don't have the right condition module?
October 13, 2004, 7:45 AM
iago
[quote author=Adron link=topic=9122.msg84185#msg84185 date=1097653506]
[quote author=iago link=topic=9122.msg84128#msg84128 date=1097620776]
I use the iptables firewall/routing software on Linux to do that.  It's a kernel-mode firewall, and it's really flexible.  Not quite as flexible as I'd like, however, because it's layer 3 (can't analyze the actual data), but it's pretty nice.  And yes, you can do rate limiting.
[/quote]

Iptables can't analyze actual data? Isn't that just that you don't have the right condition module?
[/quote]

That's possible.  I read a fairly extensive tutorial on it, and it never went past ip and tcp stuff. 
October 13, 2004, 4:55 PM
iago
http://uqconnect.net/~zzoklan/software/#net_tools

See SynAlert.  It's slightly different (alert for incoming connections), but it's kinda what you're looking for.
October 21, 2004, 8:31 PM

Search