Michael Rash, Security Researcher

Chapter 4: Application Layer Attacks and Defense

The majority of today's attacks take advantage of the increasing complexity of applications that ride on top of the TCP/IP suite. This chapter illustrates classes of application layer attacks that iptables can be made to detect, and it introduces you to the iptables string match extension.

iptables rules that are built with commands like the following instruct iptables to match application layer data, and this is a main theme throughout the book: [iptablesfw]# iptables -I INPUT 1 -p tcp --dport 5001 -m string --string "tester" --algo bm -m state --state ESTABLISHED -j LOG --log-prefix "tester"
[iptablesfw]# iptables -I INPUT 1 -p udp --dport 5002 -m string --hex-string "|a7a7a7a7a7a7a7a7a7a7|" --algo bm -j LOG --log-prefix "YEN "