How to tackle ddos and script to block the ips

Advertisements

You can check whether the attack is coming from a single ip using the following commands.
For normal server :
tcpdump -l -n -i eth0
If it is a vps:
tcpdump -l -n -i venet0:0
If the attack is from many ips and its nature is synflood you can know the ips and the no.of connections to them using the following command.
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Block the ips that are having more connections.


If you want you can use the following script to block the ips causing ddos.



#!/bin/bash

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n > test.out

for i in `cat test.out | awk '{print $2}' `

do

 {

 if [ "$i" != "127.0.0.1" ] && [ `cat test.out | grep $i | awk '{print$1}'` -gt 35 ] && [  "$i" != "0.0.0.0" ]

 then

 iptables -A INPUT -s $i -j DROP

 echo "Writing the rule :iptables -A INPUT -s $i -j DROP"

 fi

 }

done

The script is tested on centos system and it will work in other distros also.