Saturday, August 13, 2011

How to tackle ddos and script to block the ips


You can check whether the attack is coming from a single ip using the following commands.
For normal server :
tcpdump -l -n -i eth0
If it is a vps:
tcpdump -l -n -i venet0:0
If the attack is from many ips and its nature is synflood you can know the ips and the no.of connections to them using the following command.
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Block the ips that are having more connections.

If you want you can use the following script to block the ips causing ddos.


netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n > test.out
for i in `cat test.out | awk '{print $2}' `
 if [ "$i" != "" ] && [ `cat test.out | grep $i | awk '{print$1}'` -gt 35 ] && [  "$i" != "" ]
 iptables -A INPUT -s $i -j DROP
 echo "Writing the rule :iptables -A INPUT -s $i -j DROP"
The script is tested on centos system and it will work in other distros also.

No comments:

Post a Comment

Be nice. That's all.