# This is the part for the solution that blocked abnormal HTTP GET.
the below is summary of network architecture.
- Get mirrored packet from TAP switch is located Backbone-Router and border’s.
- Only get HTTP Get Packet with DPI Switch(Arista). used match TCP Payload
- Arista Switch can stir the packet have HTTP Get string.
- Server check if the packet is matched with Src/Dst IP and port and having HTTP_GET.
- Send RST packet with Seq/Ack/Payload len of HTTP_Get Packet.
- use RAW_PACKET socket.
- Source is internal IP which must be protected and Destination is External(abnormal HTTP site).
- RST packet is Source is External IP and..Destination is Source IP
- Seq is from Ack ( on External,Destination)
- Ack is from Seq + Payload len ( on Internal, Source)
- tcp flag is RST | ACK
- IP identification is don’t cared. ( It can be also adjusted if possible to get whole packet, On this page, only get HTTP Get packet, so cant know passed packet )
- TCP windows : htons (4500) + rand() % 1000 ( also. not mandatory )
- Need to send RST packet ASAP after receiving the HTTP_GET packet via ethernet port which can access to Internal IP Machine.
- below is some code for..
// ack is from TCP seq value, seq is from TCP ack value from Internal -> External HTTP_GET packet , payload_len is ip_total_len – ip_header_len – tcp_header_len
ack = ntohl(ack) + payload_len;
ack = htonl(ack);tcpheader->th_seq = seq;
tcpheader->th_ack = ack;
Lechuck Park 