Stupid DDOS attacks – a simple script and common sense

Today we had some fun; a DDOS attack from some kind of botnet. We can hundreds (thousands) of IPs sending something to Apache like;


$MyNick Aando|$Lock EXTENDEDPROT

The new Linux kernel iptables can DROP/REJECT based on strings, but I was not going to recompile and install an experimental kernel for this ‘little problem’, risking more downtime than need-be.

So I used sniffing to detect problems:


tcpdump -n -vvv -i eth0 -A|grep -B 1 $MyNick|grep .80: > /tmp/ip.log

(grepping for port .80: because it is attacking my webserver)

Then a killer perl script to block the offending IPs:


#!/usr/bin/perl

%ips=();
open(F, "tail -f /tmp/ip.log|");
while(){
chomp;
/.*) (d+?.d+?.d+?.d+?)..*?>/;
$ip = $1;
next if $ip=~/127.0.0/;
if (!$ips{$ip}) {
$ips{$ip} = 1;
`iptables -A INPUT -p tcp --source $ip --dport 80 -j REJECT`;
print "$ip blockedn";
}
}
close F;

This’ll do it; server freed up and we could serve again nicely 🙂 No need for recompiling at all!

Be the first to leave a comment. Don’t be shy.

Join the Discussion

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>