Results 1 to 4 of 4
-
06-04-2012, 12:39 AM #1WHT Addict
- Join Date
- Aug 2007
- Posts
- 118
Automatic reporting of DDoS attacks?
I have a list of IPs that have attacked my server with a reflective DDoS attack.
I am manually searching each IP to send an abuse email for each host.
Is there a faster or even automated way of doing this?
-
06-04-2012, 01:24 AM #2Web Hosting Master
- Join Date
- Nov 2000
- Location
- localhost
- Posts
- 3,771
I imagine you can do this pretty easy from the shell, ask your server admin to script you something.
I would tackle it something like this. First presuming you have collected the IPs into a simple text file call badips.txt
cat badips | uniq
removes duplicates
Then pipe this into something to lookup the IP:
#!/bin/bash
whoisServer="whois.arin.net"
while read badip; do
abuseEmail=$(whois -h$whoisServer $badip | awk '/^OrgAbuseEmail/ { print $2}' | sort | head -n1)
echo "$badip:$abuseEmail"
done
The awk matches line start with OrgAbuse and prints the second field collected, sort is quick hack to promote abuse@ to the top, head skims only the the top result. This is very rudimentary, you probably want to expand on this to check different whois server depending on the IPs etc..
Okay so chaining we have
cat badips | uniq | bash iplookup
Which yields
8.8.8.8:arin-contact@google.com
8.8.4.4:abuse@level3.com
...
Okay so now pipe this to something that can split by : and fire off your email template, you could probably one line with this with xargs -n1 and -I but probably cleaner to read to write another bash script (keeping with unix style of do one thing well)
So perhaps something like
#!/bin/bash
while read badLine; do
badIp=${badLine%%:*}
badEmail=${badLine##*:}
#im not testing this but you get the idea
mailx -s "IP: $badIp dos'ing me" $badEmail #see other man mail/mailx to include template etc.. I imagine you'll have to include attachment showing proof etc..
done;
Disclaimer: Dont copy and paste the above, as a whole solution it is untested (especially the mail script), but it should give you some ideas... If you have a server management company they are working in the shell daily so they should be able to script a more resilent and error-free version of the above relatively quickly
Good luck.Last edited by MattF; 06-04-2012 at 01:30 AM.
MattF - Since the start..
-
06-04-2012, 11:50 AM #3Disabled
- Join Date
- Mar 2007
- Posts
- 365
Nice one MattF - I am going to try this too. Looks like it should work, with a little tweaking. Thanks!
-
06-27-2012, 02:16 AM #4Junior Guru Wannabe
- Join Date
- Oct 2011
- Posts
- 57
So why don't some IPs have any abuse emails listed? How am I supposed to get the abuse email from these?
root@locahost:~$ whois -h "whois.arin.net" 199.15.251.1
#
# Query terms are ambiguous. The query is assumed to be:
# "n 199.15.251.1"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=19...se&ext=netref2
#
Reliable Hosting Services RELIABLE-HOSTING-NETWORK (NET-199-15-248-0-1) 199.15.248.0 - 199.15.255.255
Brdedicados BRD-NET (NET-199-15-251-0-1) 199.15.251.0 - 199.15.251.31
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
Similar Threads
-
Automatic Abuse Reporting Script for Web Hosts
By Squidix in forum Hosting Security and TechnologyReplies: 2Last Post: 02-21-2011, 01:59 AM -
Ddos Management | Handle most ddos attacks on server level | save hundreds!
By jon-f in forum Systems Management OffersReplies: 0Last Post: 10-03-2010, 12:39 PM -
Got DDoS? BLCC DDoS Protection sale! Stop HTTP GET attacks in their tracks!
By ddosguru in forum Dedicated Hosting OffersReplies: 7Last Post: 01-17-2007, 12:49 PM -
Apple attacks bloggers for reporting on iphone skins/
By Techno in forum Web Hosting LoungeReplies: 6Last Post: 01-16-2007, 04:29 AM -
Reporting Brute Force Attacks To Hosts
By logo-one in forum Running a Web Hosting BusinessReplies: 5Last Post: 06-20-2005, 03:22 AM