Today we had some fun; a DDOS attack from some kind of botnet. We can hundreds (thousands) of IPs sending something to Apache like;
$MyNick Aando|$Lock EXTENDEDPROT
The new Linux kernel iptables can DROP/REJECT based on strings, but I was not going to recompile and install an experimental kernel for this ‘little problem’, risking more downtime than need-be.
So I used sniffing to detect problems:
tcpdump -n -vvv -i eth0 -A|grep -B 1 $MyNick|grep .80: > /tmp/ip.log
(grepping for port .80: because it is attacking my webserver)
Then a killer perl script to block the offending IPs:
#!/usr/bin/perl
%ips=();
open(F, "tail -f /tmp/ip.log|");
while(){
chomp;
/.*) (d+?.d+?.d+?.d+?)..*?>/;
$ip = $1;
next if $ip=~/127.0.0/;
if (!$ips{$ip}) {
$ips{$ip} = 1;
`iptables -A INPUT -p tcp --source $ip --dport 80 -j REJECT`;
print "$ip blockedn";
}
}
close F;
This’ll do it; server freed up and we could serve again nicely 🙂 No need for recompiling at all!
Be the first to leave a comment. Don’t be shy.