jon-f
07-21-2007, 07:06 PM
I use csf for my firewall but I use the dos deflate netstat command to see ips connected and how many.
This one:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
I made the above into a command called "ddos"
Then I made another command called "nst" which simply is
netstat -ntu
So today, was having some syn get through on a site, wasnt really affecting much but I would like to ban the attacking ips anyway. So I took the netstat command above and made this to show how many times each ip was sending syn
nst | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
So it worked and showed how many times each ip was sending syn. Here is an output of this during when the ips were getting through
root@cp [~]# syn
1 195.175.125.40
1 85.108.3.32
1 88.254.253.100
2 88.227.0.175
2 88.232.28.100
2 88.251.76.170
3 71.84.212.16
3 85.102.81.210
3 88.229.213.34
4 88.254.224.182
5 85.101.240.251
5 85.178.238.56
5 88.241.148.89
5 88.244.0.123
6 85.102.136.214
6 85.110.207.171
7 88.235.151.135
8 88.224.208.150
10 85.103.250.235
13 81.214.32.133
20 81.243.97.119
27 88.237.198.125
All of these were attacking ips.
So my idea was to make this kind of like dos deflate where it runs this command and any ip sending syn over the allowed number would be firewalled by using the csf -d command as use csf for firewall. Seeing as a legit user rarely will be sending over 2-4 syn packets at once 5 would be a good option.
So I suppose that would be in the cron, liek to run the cron every minute and if ir sees any ip sending syn over 5 times banning them with csf.
does anyone have a good idea on how I can do this?
Now Im gonna look at dos deflate and see what features I can borrow from it. I guess we can call this Syn Deflate lol.
This one:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
I made the above into a command called "ddos"
Then I made another command called "nst" which simply is
netstat -ntu
So today, was having some syn get through on a site, wasnt really affecting much but I would like to ban the attacking ips anyway. So I took the netstat command above and made this to show how many times each ip was sending syn
nst | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
So it worked and showed how many times each ip was sending syn. Here is an output of this during when the ips were getting through
root@cp [~]# syn
1 195.175.125.40
1 85.108.3.32
1 88.254.253.100
2 88.227.0.175
2 88.232.28.100
2 88.251.76.170
3 71.84.212.16
3 85.102.81.210
3 88.229.213.34
4 88.254.224.182
5 85.101.240.251
5 85.178.238.56
5 88.241.148.89
5 88.244.0.123
6 85.102.136.214
6 85.110.207.171
7 88.235.151.135
8 88.224.208.150
10 85.103.250.235
13 81.214.32.133
20 81.243.97.119
27 88.237.198.125
All of these were attacking ips.
So my idea was to make this kind of like dos deflate where it runs this command and any ip sending syn over the allowed number would be firewalled by using the csf -d command as use csf for firewall. Seeing as a legit user rarely will be sending over 2-4 syn packets at once 5 would be a good option.
So I suppose that would be in the cron, liek to run the cron every minute and if ir sees any ip sending syn over 5 times banning them with csf.
does anyone have a good idea on how I can do this?
Now Im gonna look at dos deflate and see what features I can borrow from it. I guess we can call this Syn Deflate lol.