Need To Make A Simple Ip Blocker
Posted 08 May 2010 - 06:39 AM
Well to start with, I'm developing a tool that prevents Denial of Service attacks. Considering the scope of the project, I'm just sticking to TCP SYN flood DoS attack. I've coded the flooding part in Linux. The prevention engine, which i call the DoS engine, is completely coded in Visual C++ 2005. The functionality of the DoS engine was to detect the attackers IP address and block it from sending more packets. But till now, I'm only able to detect the incoming packets.
So, I'm in need of guidance or source code (which will be a lot better) to block IP addresses. I came accross many tools that do this, but they are fully fledged firewalls. What I need is a simple tool, with one text box and one button, that accepts IP address or a range of IP addresses and blocks it from sending packets. I tried searching for help regarding terminating a logical connection with a computer in the network, but with no fruits.
Urgent help will be greatly appreciated..
Posted 18 May 2010 - 02:02 PM
Oh I have done some tools on my site, many C++ and open source so take a look you may get some ideas.
These are the ways i've figured will work:
Blocking it by external application level (not a great idea but could work), meaning if for instance you're running a web-server creating an external process to the relevant application software to block the IP address(s) but this isn't great because it's relying upon other applications to be able to do this .
The better option would be to measure how many packets/sockets are being created by a specific host and if it's a threat, close the connection(s), possibly save IP to a blacklist file and check on certain intervals if it it's connected - if so, kill the connection to the IP address(s) in file... but it's only a temporary heres a pseudo example:
LISTEN FOR CONNECTION(S)
KILL CONNECTION<-YES--NO -> CONTINUE
GET IP AND SAVE TO BAN LIST
USE EXTERN OR SAME
PROG TO GET LIST, GO THROUGH
CHECK BELOW REGULARLY
IP FROM LIST CONNECTED? YES -> KILL CONNECTION NO -> CHECK NEXT IP
Security professional, Programmer
Posted 06 November 2010 - 04:18 PM
Since you mentioned the Visual Studio IDE I'll assume you're using some version of Windows; you need to write a kernel driver (NDIS) to be able to just close off sockets like that for the entire system, so look into writing kernel modules and NDIS filter intermediate drivers. There really isn't any "EASY BLOCK ALL PACKETS" type deal in usermode, especially for Microsoft crap. Here's a little page I found that should give you some more insight on NDIS Filtering tactics in the NT Kernel (A little dated, but you'll still accumulate the necassary knowledge). http://www.ntkernel....m/w&p.php?id=14
Also if it helps, I have a little linux shellscript that works in conjunction with iptables to block malicious addresses.
Posted 10 March 2011 - 12:17 AM
Using Sockets to listen on the port of your choice, log all incoming connections. If one IP exceeds a certain number of HTTP Requests add the IP to a Blacklist.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users