Results 1 to 3 of 3

Thread: A script top stop small scale syn flood ?

  1. #1
    Junior Member
    Join Date
    Jun 2006
    Posts
    23
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default A script top stop small scale syn flood ?

    Hi guys,
    I know very little about shell scripting so I could really use some help.

    I really hope what I had in mind is possible to realize with some script since alternative is to purchase a hardware firewall which are expensive for me to rent from hosting companies.
    Our site has been getting syn flood attacks but they are not very massive, coming from few ips at the time. But it still causes a load to go higher and slows down the page loading.

    What I had in mind is a script that would run this command:

    netstat -ntu | grep SYN_RECV

    which gives an output like this:
    Code:
    tcp        0      0 200.55.55.15:80           41.219.58.5:4772            SYN_RECV
    tcp        0      0 200.55.55.15:80           82.151.89.21:4805           SYN_RECV
    tcp        0      0 200.55.55.15:80           84.150.243.31:60048         SYN_RECV
    tcp        0      0 200.55.55.15:80           217.171.181.137:61908       SYN_RECV
    tcp        0      0 200.55.55.15:80           41.219.58.5:4770            SYN_RECV
    tcp        0      0 200.55.55.15:80           88.247.216.117:2597         SYN_RECV
    tcp        0      0 200.55.55.15:80           88.247.216.117:2595         SYN_RECV
    tcp        0      0 200.55.55.15:80           86.11.22.135:1090           SYN_RECV
    First ip is server ip which I replaced with a fake one. Other group of ips are visitors or attackers. I imagine some of these requests are valid.
    So I was thinking it would be good to set up a script which would run netstat command like 10 times with 10 second interval in between and grep those visitor ips that repeated in 8 out of 10 of those results and then block them with iptables.

    Thanks in advance for any help

  2. #2
    Junior Member
    Join Date
    Jun 2006
    Posts
    23
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    Never mind. Don't both replying to this one.
    The ips change too often and even if this was done it wouldn't accomplish much.

  3. #3
    Never say die nixcraft's Avatar
    Join Date
    Jan 2005
    Location
    BIOS
    Posts
    4,500
    Thanks
    17
    Thanked 789 Times in 507 Posts
    Rep Power
    10

    Default

    How about iptables configuration?
    Code:
    # Block sync
    $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
    $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
    See Linux Iptables Firewall Shell Script For Standalone Server
    All [Solved] threads are closed by mods / admin to avoid spam issues. See Howto mark a thread as [Solved]


Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Small Issue : please help resolvinig it
    By ermunishanand in forum Shell scripting
    Replies: 1
    Last Post: 11th October 2008, 01:54 AM
  2. Change /tmp path on KDE as it is too small for KDE
    By marccarter0 in forum Ubuntu / Debian
    Replies: 2
    Last Post: 26th May 2008, 09:34 PM
  3. Small handy one liners
    By digen in forum Getting started tutorials
    Replies: 0
    Last Post: 7th February 2007, 03:40 PM
  4. Replies: 1
    Last Post: 21st December 2006, 03:30 AM
  5. start up and stop the running script
    By mala_un in forum Shell scripting
    Replies: 9
    Last Post: 26th July 2006, 07:10 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •