Saturday, August 13, 2011

How to tackle ddos and script to block the ips

Sponsored Links
You can check whether the attack is coming from a single ip using the following commands.
For normal server :
tcpdump -l -n -i eth0
If it is a vps:
tcpdump -l -n -i venet0:0
If the attack is from many ips and its nature is synflood you can know the ips and the no.of connections to them using the following command.
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Block the ips that are having more connections.


If you want you can use the following script to block the ips causing ddos.




#!/bin/bash

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n > test.out
for i in `cat test.out | awk '{print $2}' `
do
 {
 if [ "$i" != "127.0.0.1" ] && [ `cat test.out | grep $i | awk '{print$1}'` -gt 35 ] && [  "$i" != "0.0.0.0" ]
 then
 iptables -A INPUT -s $i -j DROP
 echo "Writing the rule :iptables -A INPUT -s $i -j DROP"
 fi
 }
done
The script is tested on centos system and it will work in other distros also.
Sponsored Links

No comments:

Post a Comment

Be nice. That's all.