ghetto response to a ghetto DDoS attack on apache

Had to help two friends to overcome a low budget ddos attack on their server. Few minutes upon logging in I figured that a few thousands hosts were running simple stressers against their apache, something that could be blocked with iptables I figured.

So here it goes --my simple 'ghetto' response-- three simple scripts a few lines long each to complement the bif --the basic iptables firewall.

First, a little script that sorts in descending order the ip addresses with the most connections to a port.

#g0 2013 
#Sort the IP addresses with connections to the PORT according to the number of connections
netstat -punta | grep ":${PORT}" | grep -v ":\*" | awk '{print $5}' | awk -F ":" '{print $1}' | sort | uniq -c | sort -nr

I piped to a pager to get a better view
#./ 80 |less

Next, another little script -- -- that takes the x IP addresses with the most connections to a port and puts them to a list.

#g0 2013
#Add Top x get_them IP addresses in a list
./ ${PORT} | head -${COUNT} | awk '{print $2}' >> bif.bad

And Finally a script to add IPtables rules to drop all traffic to and from these IP addresses.

#g0 2013 block those bastards

#Put you IP addresses on this white list
IPTABLES="/sbin/iptables" BIF_BAD_IP_FILE="./bif.bad.go" BIF_BAD="./bif.bad" cat ${BIF_BAD} | egrep -v ${WHITE_LIST} > ${BIF_BAD_IP_FILE}
#Block Bad IP addresses and sets of IP addresses in CIDR notation if [ -e "$BIF_BAD_IP_FILE" ] ; then for BAD_IP in `cat ${BIF_BAD_IP_FILE}`; do
        ${IPTABLES} -A OUTPUT -d ${BAD_IP} -j DROP         ${IPTABLES} -A INPUT -s ${BAD_IP} -j DROP

Like I said this is a ghetto response to a ghetto ddos attack ... don't expect it to withstand anything sophisticated.

a Ghetto response to a ghetto DDOS attack on apache