How to Kick-Out the Bad Guy?

A quick blog post about an issue I faced this morning. While drinking my morning coffee and reviewing what happened during the last night in my logs, I detected that one of my website (leakedin.com) was entirely mirrored by a guy from Brazil. I’m not against sharing information but in this case, it was consuming bandwidth and server resources for nothing… I was time to kick him off!

The web crawling was smoothly performed and he did not trigger any counter-measures in place like, by example, to automatically blacklist his IP address for a few minutes. This makes the script kiddies’ task more difficult. In this case, I just blacklisted his IP definitively via a specific firewall rule. Case closed! Hélas, no… The guy was clever enough to keep the traffic within  a set of established TCP/IP sessions. What does it mean? By default, a firewall won’t block them due to their “ESTABLISHED” state. The reason is the following rule present in almost all iptables rulebase:

-A INPUT -m tcp -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

The quick way could be to restart the web server (or the firewall) but with a side impact for all the users… I remembered that the dsniff package has an interesting tool for this situation. dsniff is a nice toolbox for pentesters and should not be installed on a production server… definitively! But one of the tool is called tcpkill. It allows you to kill specific established TCP sessions based on an “expression” compatible with the tcpdump/libpcap format. Some examples:

# tcpkill -i eth0 port 80
# tcpkill -i eth0 host 172.16.0.23
# tcpkill -i eth0 port 22 and not host 192.168.0.1

The ESTABLISHED sessions were killed and the firewall is now doing its job: to block new TCP sessions from this IP. Very efficient!