ghetto response to a ghetto DDoS attack on apache

Had to help two friends to overcome a low budget ddos attack on their server. Few minutes upon logging in I figured that a few thousands hosts were running simple stressers against their apache, something that could be blocked with iptables I figured.

So here it goes --my simple 'ghetto' response-- three simple scripts a few lines long each to complement the bif --the basic iptables firewall.

First get_them.sh, a little script that sorts in descending order the ip addresses with the most connections to a port.


#!/bin/bash
#g0 2013 get_them.sh 
#Sort the IP addresses with connections to the PORT according to the number of connections
PORT=${1}
netstat -punta | grep ":${PORT}" | grep -v ":\*" | awk '{print $5}' | awk -F ":" '{print $1}' | sort | uniq -c | sort -nr




I piped get_them.sh to a pager to get a better view
#./get_them.sh 80 |less


Next, another little script -- xworst.sh -- that takes the x IP addresses with the most connections to a port and puts them to a list.


#!/bin/bash
#g0 2013 xworst.sh
#Add Top x get_them IP addresses in a list
COUNT=${2}
PORT=${1}
./get_them.sh ${PORT} | head -${COUNT} | awk '{print $2}' >> bif.bad



And Finally a script to add IPtables rules to drop all traffic to and from these IP addresses.


#!/bin/bash
#g0 2013 block those bastards

#Put you IP addresses on this white list
WHITE_LIST="192.0.2.222|192.0.2.246|192.0.2.123"
IPTABLES="/sbin/iptables" BIF_BAD_IP_FILE="./bif.bad.go" BIF_BAD="./bif.bad" cat ${BIF_BAD} | egrep -v ${WHITE_LIST} > ${BIF_BAD_IP_FILE}
#Block Bad IP addresses and sets of IP addresses in CIDR notation if [ -e "$BIF_BAD_IP_FILE" ] ; then for BAD_IP in `cat ${BIF_BAD_IP_FILE}`; do
        ${IPTABLES} -A OUTPUT -d ${BAD_IP} -j DROP         ${IPTABLES} -A INPUT -s ${BAD_IP} -j DROP
done
fi



Like I said this is a ghetto response to a ghetto ddos attack ... don't expect it to withstand anything sophisticated.



a Ghetto response to a ghetto DDOS attack on apache