Rapide et crade
Regles Netfilter experimental anti-DOS :
une IP ne peut acceder a l'index du site (GET / HTTP/1.1), qu'une fois tous les 3 secondes.
(l'offset "to" du module string est positionne (trop) large).

Attention, le port 6081 est celui de Varnish, le DNAT Netfilter redirigeant le port 80 dessus (cuisine interne).

On ajoute la regle Netfiler suivante :
root@toto:~# iptables -A FORWARD -p tcp --src 82.239.75.4 -m multiport --dports 80,6081 -m recent \
--name dosclt --rcheck --seconds 2 --hitcount 1  -m string --from 0 --to 170 --algo bm --string 'GET / HTTP/1.1' -j DROP
On demarre la capture :
root@toto:~# tcpdump -vi br0 tcp and '(port 80 or port 6081)' and src 82.239.75.4 -s0 -w out.pcap
A partir du poste client, on lance la requete HTTP dans une boucle :
root@bob-desktop:/mnt# while  true ; do curl http://ns4.architux.com/  ; done 

ns4 iweb3


ns4 iweb3


ns4 iweb3

^C
On arrete a la troisieme (Ctrl+c).

On stop le dump et on le lit :
root@toto:~# tshark -r out.pcap  -d "tcp.port==6081,http" -R "http.request.method"
Running as user "root" and group "root". This could be dangerous.
3   0.030127 82.239.75.4 -> 10.100.0.16  HTTP GET / HTTP/1.1
4   0.264393 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
5   0.736437 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
6   1.680780 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
7   3.568490 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1  
13   3.726936 82.239.75.4 -> 10.100.0.16  HTTP GET / HTTP/1.1 
14   3.960487 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1  
15   4.433045 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
16   5.376548 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
18   7.264363 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
24   7.419067 82.239.75.4 -> 10.100.0.16  HTTP GET / HTTP/1.1  
25   7.652652 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
26   8.124954 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
27   9.068786 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
28  10.956510 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
34  11.112961 82.239.75.4 -> 10.100.0.16  HTTP GET / HTTP/1.1  
35  11.336945 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
36  11.792708 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
38  12.704779 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 
39  14.528700 82.239.75.4 -> 10.100.0.16  HTTP [TCP Retransmission] GET / HTTP/1.1 

Dans la capture, on peut y trouver des retransmissions, 4 par exemple, ayant le numero de sequence 1, signe que la pile TCP du serveur n'a jamais acquite la transmission (sinon, le numero de sequence s'incrementerais).