Hi guys,
I know very little about shell scripting so I could really use some help.
I really hope what I had in mind is possible to realize with some script since alternative is to purchase a hardware firewall which are expensive for me to rent from hosting companies.
Our site has been getting syn flood attacks but they are not very massive, coming from few ips at the time. But it still causes a load to go higher and slows down the page loading.
What I had in mind is a script that would run this command:
netstat -ntu | grep SYN_RECV
which gives an output like this:
First ip is server ip which I replaced with a fake one. Other group of ips are visitors or attackers. I imagine some of these requests are valid.Code:tcp 0 0 200.55.55.15:80 41.219.58.5:4772 SYN_RECV tcp 0 0 200.55.55.15:80 82.151.89.21:4805 SYN_RECV tcp 0 0 200.55.55.15:80 84.150.243.31:60048 SYN_RECV tcp 0 0 200.55.55.15:80 217.171.181.137:61908 SYN_RECV tcp 0 0 200.55.55.15:80 41.219.58.5:4770 SYN_RECV tcp 0 0 200.55.55.15:80 88.247.216.117:2597 SYN_RECV tcp 0 0 200.55.55.15:80 88.247.216.117:2595 SYN_RECV tcp 0 0 200.55.55.15:80 86.11.22.135:1090 SYN_RECV
So I was thinking it would be good to set up a script which would run netstat command like 10 times with 10 second interval in between and grep those visitor ips that repeated in 8 out of 10 of those results and then block them with iptables.
Thanks in advance for any help
Results 1 to 3 of 3
-
9th June 2009, 03:29 AM #1Junior Member
- Join Date
- Jun 2006
- Posts
- 23
- Thanks
- 0
- Thanked 0 Times in 0 Posts
- Rep Power
- 0
A script top stop small scale syn flood ?
-
9th June 2009, 10:45 PM #2Junior Member
- Join Date
- Jun 2006
- Posts
- 23
- Thanks
- 0
- Thanked 0 Times in 0 Posts
- Rep Power
- 0
Never mind. Don't both replying to this one.
The ips change too often and even if this was done it wouldn't accomplish much.
11th June 2009, 02:14 AM #3Never say die
- Join Date
- Jan 2005
- Location
- BIOS
- Posts
- 4,374
- Thanks
- 17
- Thanked 754 Times in 496 Posts
- Rep Power
- 10
How about iptables configuration?
See Linux Iptables Firewall Shell Script For Standalone ServerCode:# Block sync $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync" $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
All [Solved] threads are closed by mods / admin to avoid spam issues. See Howto mark a thread as [Solved]
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
Small Issue : please help resolvinig it
By ermunishanand in forum Shell scriptingReplies: 1Last Post: 11th October 2008, 01:54 AM -
Change /tmp path on KDE as it is too small for KDE
By marccarter0 in forum Ubuntu / DebianReplies: 2Last Post: 26th May 2008, 09:34 PM -
Small handy one liners
By digen in forum Getting started tutorialsReplies: 0Last Post: 7th February 2007, 03:40 PM -
Apache SYN Flood Attacks and how to stop / avoid them
By cbzee in forum Web serversReplies: 1Last Post: 21st December 2006, 03:30 AM -
start up and stop the running script
By mala_un in forum Shell scriptingReplies: 9Last Post: 26th July 2006, 07:10 AM
Tags for this Thread
Posting Permissions
Reply With Quote