Jul 01 2009

[Linux, FreeBSD] Small Anti-DDOS Shell Script for FreeBSD

Category: Articles,Linux administrationFractalizeR @ 3:21 pm

Struggling with DDoS on my friend’s site, I wrote small Anti-DDoS script, that in original just lists all IPs, that have more than X active connections open to your server. It was originally written for FreeBSD.

# Set here a minimum number of connections for action to be executed (150 by default).
netstat -ntu -f inet| awk '{if(NR>2 && NF=6) print $5}' | cut -d. -f1-4 | grep '^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$' | sort | uniq -c | sort -nr > $TMP_FILE
while read line; do
 CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
 CURR_LINE_IP=$(echo $line | cut -d" " -f2)
 if [ $CURR_LINE_CONN -lt $FR_MIN_CONN ]; then
 # You can insert your own logic here (e.g. ban with your favourite firewall). Now it just prints the IP to console.
done < $TMP_FILE
rm -f $TMP_PREFIX.*

I think this will work on general Linux also. You just need to change “cut -d.” to “cut -d:” in the listing and, probably, “/bin/sh” to “/bin/bash”.

Tags: , ,

Jul 01 2009

[Linux, FreeBSD] Using netstat and ipfw to manually detect and blacklist DOSers on FreeBSD

Category: Articles,Linux administrationFractalizeR @ 1:22 pm

This is just an addition to my this article with some corrections needed if you use FreeBSD.

netstat command should look like

netstat -ntu -f inet| awk '{print $5}' | cut -d. -f1-4 | sort | uniq -c | sort -nr|more

And firewall IP blocking command should be

ipfw add deny all from xxx.xxx.xxx.xxx to any in

Tags: , , ,