Results 1 to 4 of 4
  1. #1
    Join Date
    Aug 2007
    Posts
    118

    Automatic reporting of DDoS attacks?

    I have a list of IPs that have attacked my server with a reflective DDoS attack.

    I am manually searching each IP to send an abuse email for each host.

    Is there a faster or even automated way of doing this?

  2. #2
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,771
    I imagine you can do this pretty easy from the shell, ask your server admin to script you something.

    I would tackle it something like this. First presuming you have collected the IPs into a simple text file call badips.txt

    cat badips | uniq
    removes duplicates

    Then pipe this into something to lookup the IP:

    #!/bin/bash

    whoisServer="whois.arin.net"
    while read badip; do
    abuseEmail=$(whois -h$whoisServer $badip | awk '/^OrgAbuseEmail/ { print $2}' | sort | head -n1)
    echo "$badip:$abuseEmail"
    done


    The awk matches line start with OrgAbuse and prints the second field collected, sort is quick hack to promote abuse@ to the top, head skims only the the top result. This is very rudimentary, you probably want to expand on this to check different whois server depending on the IPs etc..

    Okay so chaining we have

    cat badips | uniq | bash iplookup


    Which yields
    8.8.8.8:arin-contact@google.com
    8.8.4.4:abuse@level3.com
    ...


    Okay so now pipe this to something that can split by : and fire off your email template, you could probably one line with this with xargs -n1 and -I but probably cleaner to read to write another bash script (keeping with unix style of do one thing well)

    So perhaps something like

    #!/bin/bash

    while read badLine; do
    badIp=${badLine%%:*}
    badEmail=${badLine##*:}
    #im not testing this but you get the idea
    mailx -s "IP: $badIp dos'ing me" $badEmail #see other man mail/mailx to include template etc.. I imagine you'll have to include attachment showing proof etc..
    done;



    Disclaimer: Dont copy and paste the above, as a whole solution it is untested (especially the mail script), but it should give you some ideas... If you have a server management company they are working in the shell daily so they should be able to script a more resilent and error-free version of the above relatively quickly

    Good luck.
    Last edited by MattF; 06-04-2012 at 01:30 AM.
    MattF - Since the start..

  3. #3
    Nice one MattF - I am going to try this too. Looks like it should work, with a little tweaking. Thanks!

  4. #4
    Join Date
    Oct 2011
    Posts
    57
    So why don't some IPs have any abuse emails listed? How am I supposed to get the abuse email from these?

    root@locahost:~$ whois -h "whois.arin.net" 199.15.251.1
    #
    # Query terms are ambiguous. The query is assumed to be:
    # "n 199.15.251.1"
    #
    # Use "?" to get help.
    #

    #
    # The following results may also be obtained via:
    # http://whois.arin.net/rest/nets;q=19...se&ext=netref2
    #

    Reliable Hosting Services RELIABLE-HOSTING-NETWORK (NET-199-15-248-0-1) 199.15.248.0 - 199.15.255.255
    Brdedicados BRD-NET (NET-199-15-251-0-1) 199.15.251.0 - 199.15.251.31


    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #

Similar Threads

  1. Automatic Abuse Reporting Script for Web Hosts
    By Squidix in forum Hosting Security and Technology
    Replies: 2
    Last Post: 02-21-2011, 01:59 AM
  2. Replies: 0
    Last Post: 10-03-2010, 12:39 PM
  3. Replies: 7
    Last Post: 01-17-2007, 12:49 PM
  4. Apple attacks bloggers for reporting on iphone skins/
    By Techno in forum Web Hosting Lounge
    Replies: 6
    Last Post: 01-16-2007, 04:29 AM
  5. Reporting Brute Force Attacks To Hosts
    By logo-one in forum Running a Web Hosting Business
    Replies: 5
    Last Post: 06-20-2005, 03:22 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •