Linux Firewalls - Michael Rash [45]
For example, suppose that you need to send a string of 10 characters that represent the Japanese yen to a UDP server listening on port 5002, and that you want iptables to match on these characters. According to the ISO 8859-9 character set (type man iso_8859-9 at a command prompt), the hex code A7 represents the yen sign, and so the commands below will do the trick.
We first execute iptables with the --hex-string argument to iptables, along with the bytes specified in hex between | characters like so:
[iptablesfw]# iptables -I INPUT 1 -p udp --dport 5002 -m string --hex-string "|a7a7a7a
7a7a7a7a7a7a7|" --algo bm -j LOG --log-prefix "YEN "
Next, we spawn a UDP server on port 5002.[28] Finally, we use a Perl command to generate a series of 10 hex A7 bytes, and we pipe that output through Netcat to send it over the network to the UDP server:
[iptablesfw]$ nc -u -l -p 5002
[ext_scanner]$ perl -e 'print "\xa7"x10' | nc -u 71.157.X.X 5002
Sure enough, iptables matches the traffic, as you can see by the syslog log message (note the YEN log prefix shown in bold):
[iptablesfw]# tail /var/log/messages | grep YEN
Jul 11 04:15:14 iptablesfw kernel: YEN IN=eth0 OUT= MAC=00:13:d3:38:b6:e4:00:30:48:
80:4e:37:08:00 SRC=144.202.X.X DST=71.157.X.X LEN=38 TOS=0x00 PREC=0x00 TTL=64
ID=37798 DF PROTO=UDP SPT=47731 DPT=5002 LEN=18
* * *
[27] 1 The Boyer-Moore string search algorithm generally outperforms the Knuth-Morris-Pratt algorithm for most string-matching needs. The best-case performance of BM is O(n/m), whereas the best-case performance of KMP is O(n), where n is the length of the searched text and m is the length of a search string. There are some good performance graphs at http://people.netfilter.org/pablo/textsearch.
[28] 2 Technically we don't need to spawn a UDP server here because data is sent over a UDP socket without having to establish a connection first, so iptables will see the UDP packet that contains the YEN hex codes regardless of whether a server is listening in user space. Note also that we did not need to add an ACCEPT rule to the policy for the log message to be generated (although the data does not make it through our default DROP policy to the server in user space). If you want to see how Netcat represents the data on the server side of the connection, you will need to add an ACCEPT rule for UDP port 5002.
Application Layer Attack Definitions
We define an application layer attack as an effort to subvert an application, an application user, or data managed by an application for purposes other than those sanctioned by the application owner or administrator. Application layer attacks do not usually depend on leveraging techniques at lower layers, although such techniques (such as IP spoofing or TCP session splicing) are sometimes used to change the way application layer attacks are delivered to the target.
Application layer attacks are often made possible because programmers are under pressure to release code under strict deadlines, and not enough time is left over for rooting out bugs that result in security vulnerabilities. In addition, many programmers do not consider the implications of using certain language constructs that can expose an application to attack in non-obvious ways. Finally, many applications have complex configurations, and security can be reduced by inexperienced users who deploy applications with risky options enabled.
Application layer attacks fall into one of three categories:
Exploits for programming bugs
Application development is a complex endeavor, and inevitably programming errors are made. In some cases, these bugs can cause serious vulnerabilities that are remotely accessible over the network. Good examples include a buffer overflow vulnerability derived from the usage of an unsafe C library function, web-centric vulnerabilities such as a webserver that passes