Results 1 to 8 of 8
  1. #1
    Join Date
    Feb 2003
    Location
    Montreal. Canada
    Posts
    222

    DDos Deflate Issue

    Hey guys,

    I know this isnt a support forum but im hoping someone that has experience using Ddos Deflate came provide me some insight.

    I've installed this bash script on a centos 5.5 server of mine using apf and for some odd reason it seems to be getting confused.

    Screenshot: http://i55.tinypic.com/2dtrnr6.jpg

    The screenshot above shows what i believe the issue is. I am thinking that it is not counting the ips that have the ::fffff: infront of them.

    Has anyone come across this issue before?

  2. #2
    Join Date
    Mar 2002
    Location
    Philadelphia, PA
    Posts
    2,508
    Try this and compare the results:

    netstat -tunv | awk '{print $5}' | awk -F':' '{print $1}' | grep ^[0-9] | uniq -c | sort -rn

    Their command: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    Will include the IP addresses with ::ffff: this is being handled by the cut delimiter.
    Linux junkie | steward.io

  3. #3
    Join Date
    Feb 2003
    Location
    Montreal. Canada
    Posts
    222
    Hi ViGeek,

    First, thank you very much for your help!

    Ive changed this line

    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

    to your line

    netstat -tunv | awk '{print $5}' | awk -F':' '{print $1}' | grep ^[0-9] | uniq -c | sort -rn

    However it doesn't seem to be counting the lines properly

    What i mean by that is that the output is coming out like this


    1 119.152.61.132
    1 119.152.61.132
    1 119.152.61.132
    1 119.152.61.132
    1 119.152.61.132
    1 119.152.61.132
    1 119.152.61.132
    1 119.152.61.132
    1 119.152.237.221
    1 119.152.232.122
    1 119.152.232.122
    1 119.152.232.122
    1 119.152.232.122

    When it should output like
    8 119.152.61.132
    1 119.152.237.221
    5 119.152.232.122

    Any ideas?

  4. #4
    Try

    netstat -tunv | awk '{print $5}' | awk -F':' '{print $1}' | grep ^[0-9] | sort -rn | uniq -c

  5. #5
    Join Date
    Mar 2002
    Location
    Philadelphia, PA
    Posts
    2,508
    That's odd, actually both those commands work for me without issue, tested on several servers as well.

    You can begin knocking out pieces of each command to see where the hang up is, perhaps it's the regex expression, dunno..

    netstat -tunv | awk '{print $5}' | awk -F':' '{print $1}' | uniq -c | sort -rn

    Doing this:
    netstat -tunv | awk '{print $5}' | awk -F':' '{print $1}' | grep ^[0-9] | sort -rn | uniq -c

    will place the greatest number of connections at the bottom of the list. Perhaps the results you were looking for were at the top
    Linux junkie | steward.io

  6. #6
    The first command does a uniq -c before sorting the IPs in numeric order which is why things are not added up properly.

    eg

    [[email protected] lighttpd]# netstat -tunv | awk '{print $5}' | awk -F':' '{print $1}' | grep ^[0-9] | sort -rn | uniq -c
    3 127.0.0.1
    20 68.67.74.138


    vs


    [[email protected] lighttpd]# netstat -tunv | awk '{print $5}' | awk -F':' '{print $1}' | grep ^[0-9] | uniq -c | sort -rn
    10 68.67.74.138
    6 68.67.74.138
    4 68.67.74.138
    1 127.0.0.1
    1 127.0.0.1
    1 127.0.0.1
    As mentioned above if you want to sort by # of uniq hits add another sort at the end.

  7. #7
    Join Date
    Feb 2003
    Location
    Montreal. Canada
    Posts
    222
    thank you guys

    for some odd reason the only one that works right for me is the

    netstat -tunv | awk '{print $5}' | awk -F':' '{print $1}' | grep ^[0-9] | sort -rn | uniq -c

    The other one will not count.

    Thank you once again

  8. #8
    Join Date
    Feb 2003
    Location
    Montreal. Canada
    Posts
    222
    Hey guys

    Just in case someone comes across this same problem. The resolution to it is to replace in your /usr/local/ddos/ddos.sh

    On line 117
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

    To:
    netstat -ntu | awk '{print $5}' | sed 's/\:\:ffff\://g' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

    This is the only way it works with this script.

    Thank you for all who have helped! Hope this helps many more!
    Credits go to Zaf for the fix!

Similar Threads

  1. Need Help With DDoS Deflate
    By usf86 in forum Hosting Security and Technology
    Replies: 3
    Last Post: 12-30-2010, 12:05 PM
  2. DDoS Deflate And mod_evasive both of them?
    By myserve in forum Dedicated Server
    Replies: 2
    Last Post: 08-15-2010, 10:57 AM
  3. DDOS Deflate and ftp
    By Cameleon in forum Web Hosting
    Replies: 4
    Last Post: 02-19-2010, 05:58 PM
  4. DDOS Deflate
    By HostingFields in forum Hosting Security and Technology
    Replies: 12
    Last Post: 01-12-2010, 01:51 AM
  5. DDoS Deflate issue with ddos -c
    By iseree in forum Hosting Security and Technology
    Replies: 4
    Last Post: 10-11-2008, 09:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •