Help! Chilli accounting for dropped packets
Gunther Mayer
gunther.mayer at googlemail.com
Wed May 7 17:42:55 UTC 2008
Hi again,
We recently noticed that a very nasty trojan/virus is doing the rounds
that uploads a ton of data to the Internet. Since our captive portal
charges in data units this becomes a major problem as customers loose
their purchased Internet units like water through a sieve. While legally
not our problem customers still contact us all the time wondering what
happened, demanding refunds and all that jazz.
Tricky part is: we cannot sanely ask them to "quickly" download, install
and/or upgrade their anti-virus because either they already have a zero
balance or doing so would lose them even more units. It's a catch-22
until we find a way to block those trojans.
I started investigating instead what patterns such abnormal Internet
usage follows and managed to block specific instances with custom
iptables firewall rules (based on port and/or host specs). One example:
iptables -I FORWARD -p tcp --dport 5000 -j DROP
The problem though is: even though the kernel correctly drops the
trojan's packets (verified with iptables -L -vn), chilli somehow still
counts them, so I've only solved the smaller part of the problem, making
sure that the bogus packets never reach the Internet. The larger part,
that of upload accounting going ballistic is still unaddressed. I always
thought the kernel would drop them BEFORE chilli gets its hands on them
for accounting purposes, but it seems like it does so AFTER.
What can I do, if anything, to make sure that either chilli disregards
certain packets or that I get the kernel to drop packets BEFORE chilli
gets hold of them?
Gunther
More information about the Chilli
mailing list