1. Is there some reason that you can't setup your security box as a proxy, using HTTP::Proxy? Your proxy can then maintain a 'blacklist' of non-redirected requests
2. I suppose you could send a RST or a FIN packet to the 'evil box'. As long as you know something about IP, you can send these via a 'raw' IP socket. The standard Socket::* modules handle these operations

Any one of you guys have a good example of a socket module sending FIN or RST as mentioned in the thread? Thank you guys for all the response!!!

Not so good, but here it is:

use strict;
use warnings;
use Net::RawIP;

my $n = Net::RawIP->new(
    {
        ip => {
            saddr => '192.168.1.33',
            daddr => '192.168.1.1',
        },
        tcp => {
            source  => 80,
            dest    => 22222,
            seq     => 12345,
            rst     => 1,
        },
    }
);
$n->send;
$n->ethnew("wlan0");
$n->ethset( source => '00:11:22:33:44:55', dest => '00:12:23:34:45:56'
+ );
$n->ethsend;
[download]

As brother zwon has indicated above, the Net::RawIP module (and all its many friends) allows you to drive libpcap -- which appears to be pretty comprehensive...

I think your best bet is to send a RST in both directions -- telling your server, as soon as possible, to give up and telling the client to "go away". I guess you're then going to keep a look out for the "evil" IP address and bounce all further TCP open requests ?

You'll have to concentrate on the sequence numbers, and getting your RST packets in promptly -- I seem to remember that stacks will accept RST even if the sequence number is not exactly as expected... but I cannot remember the range of this tolerance.

On some systems you can open a raw socket: socket $ETH, PF_INET, SOCK_RAW, IPPROTO_RAW (where IPPROTO_RAW is 255). This socket can be used for output only. You can then send entire IP packets (complete with IP header) via the socket. The socket will fill in these IP header fields: (a) checksum; (b) source address, if zero; (c) packet id, if zero; and (d) total length. The socket will then send out the packet as per the destination address. If your system supports it, you may or may not find this easier than getting to grips with Net::RawIP et al.

The enclosed code certainly sends packets as required from my Linux box. YMMV. To do what you want requires picking apart the IP and TCP headers of your "evil" packet, and mungeing up suitable RST packets to send.

Read more... See the code (10 kB)

perlpreben

Though this is not a perl solution I think you may be interested in untangle which features, among many other things, an Attack-Blocker

Martin

Nice idea, but your method has some drawbacks you should take into account.

If you block the attacker at the same time you send the RST you gained no additional security. So why bother?

If you don't block at the same time then the attacker can find out exactly which packet caused your sniffer to react and either change his code until your sniffer doesn't react anymore or just ignore any RST packages coming from your webserver

If you don't block and an attacker wants to try out lots of attacks on your web server, the RST package might speed up his attacks since he doesn't have to wait for a time out

A firewall will only protect against attacks aimed towards the web server it self, and not the actual web application on it. Some firewalls have basic protection agains the most common attacks towards applications like SQL injection and XSS ... but if you want protection for attacks like the once im referring to, you need a full Web Application Firewall, .. and normal one just wount cut it....

Make your sniffer push rules on the firewall as needed... or use a firewall like Netfilter that can be controlled from user space using some library (libnetfilter_conntrack) or tool (conntrack-tools).

In any case, using a reverse proxy in front of your web server would be far easier.

Great, you already know what to get :)