So here it goes --my simple 'ghetto' response-- three simple scripts a few lines long each to complement the bif --the basic iptables firewall.
First get_them.sh, a little script that sorts in descending order the ip addresses with the most connections to a port.
#!/bin/bash
#g0 2013 get_them.sh
#Sort the IP addresses with connections to the PORT according to the number of connections
PORT=${1}
netstat -punta | grep ":${PORT}" | grep -v ":\*" | awk '{print $5}' | awk -F ":" '{print $1}' | sort | uniq -c | sort -nr
I piped get_them.sh to a pager to get a better view
#./get_them.sh 80 |less
Next, another little script -- xworst.sh -- that takes the x IP addresses with the most connections to a port and puts them to a list.
#!/bin/bash
#g0 2013 xworst.sh
#Add Top x get_them IP addresses in a list
COUNT=${2}
PORT=${1}
./get_them.sh ${PORT} | head -${COUNT} | awk '{print $2}' >> bif.bad
And Finally a script to add IPtables rules to drop all traffic to and from these IP addresses.
#!/bin/bash
#g0 2013 block those bastards
#Put you IP addresses on this white list
WHITE_LIST="192.0.2.222|192.0.2.246|192.0.2.123"
IPTABLES="/sbin/iptables" BIF_BAD_IP_FILE="./bif.bad.go" BIF_BAD="./bif.bad" cat ${BIF_BAD} | egrep -v ${WHITE_LIST} > ${BIF_BAD_IP_FILE}
#Block Bad IP addresses and sets of IP addresses in CIDR notation if [ -e "$BIF_BAD_IP_FILE" ] ; then for BAD_IP in `cat ${BIF_BAD_IP_FILE}`; do
${IPTABLES} -A OUTPUT -d ${BAD_IP} -j DROP ${IPTABLES} -A INPUT -s ${BAD_IP} -j DROP
done
fi
Like I said this is a ghetto response to a ghetto ddos attack ... don't expect it to withstand anything sophisticated.
a Ghetto response to a ghetto DDOS attack on apache
