Jul 01 2009

[Linux, FreeBSD] Small Anti-DDOS Shell Script for FreeBSD

Category: Articles,Linux administrationFractalizeR @ 3:21 pm

Struggling with DDoS on my friend’s site, I wrote small Anti-DDoS script, that in original just lists all IPs, that have more than X active connections open to your server. It was originally written for FreeBSD.

#!/bin/sh
# Set here a minimum number of connections for action to be executed (150 by default).
FR_MIN_CONN=150
TMP_PREFIX='/tmp/frrr'
TMP_FILE=`mktemp $TMP_PREFIX.XXXXXXXX`
netstat -ntu -f inet| awk '{if(NR>2 && NF=6) print $5}' | cut -d. -f1-4 | grep '^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$' | sort | uniq -c | sort -nr > $TMP_FILE
while read line; do
 CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
 CURR_LINE_IP=$(echo $line | cut -d" " -f2)
 if [ $CURR_LINE_CONN -lt $FR_MIN_CONN ]; then
 break
 fi
 
 # You can insert your own logic here (e.g. ban with your favourite firewall). Now it just prints the IP to console.
 echo $CURR_LINE_IP
done < $TMP_FILE
rm -f $TMP_PREFIX.*

I think this will work on general Linux also. You just need to change “cut -d.” to “cut -d:” in the listing and, probably, “/bin/sh” to “/bin/bash”.

Tags: , ,


Jul 30 2008

[Linux] Installing automatic protection from DoS and DDoS attacks to your server

Category: Articles,Linux administrationFractalizeR @ 3:11 pm

During several months server I was responsible for was under DDoS attack, that almost flooded it. Due to lacking Linux skills, I almost lost my hope in protecting it by myself and started to think about paying some specialist to protect my server.

But suddenly, I found a miraculos and VERY easy to install and use solutuons I want to share with you today.

Continue reading “[Linux] Installing automatic protection from DoS and DDoS attacks to your server”

Tags: , , , , , ,


Jul 23 2008

[Linux] Using netstat and iptables to manually detect and blacklist DOSers

Category: Articles,Linux administrationFractalizeR @ 8:35 pm

If you suspect, that your server is flooded, the first thing you need to do is to issue the following command:
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

This will show you IP addresses  (second column) and the total number of connections from each (first one). If you see, that you have too many connections from some IP address, you can block it by issueing the following command:

Continue reading “[Linux] Using netstat and iptables to manually detect and blacklist DOSers”

Tags: , , , ,