Struggling with DDoS on my friend’s site, I wrote small Anti-DDoS script, that in original just lists all IPs, that have more than X active connections open to your server. It was originally written for FreeBSD.
#!/bin/sh
# Set here a minimum number of connections for action to be executed (150 by default).
FR_MIN_CONN=150
TMP_PREFIX='/tmp/frrr'
TMP_FILE=`mktemp $TMP_PREFIX.XXXXXXXX`
netstat -ntu -f inet| awk '{if(NR>2 && NF=6) print $5}' | cut -d. -f1-4 | grep '^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$' | sort | uniq -c | sort -nr > $TMP_FILE
while read line; do
CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
CURR_LINE_IP=$(echo $line | cut -d" " -f2)
if [ $CURR_LINE_CONN -lt $FR_MIN_CONN ]; then
break
fi
# You can insert your own logic here (e.g. ban with your favourite firewall). Now it just prints the IP to console.
echo $CURR_LINE_IP
done < $TMP_FILE
rm -f $TMP_PREFIX.*I think this will work on general Linux also. You just need to change “cut -d.” to “cut -d:” in the listing and, probably, “/bin/sh” to “/bin/bash”.
