Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : Automatic reporting of DDoS attacks?

[lorph]

I have a list of IPs that have attacked my server with a reflective DDoS attack.

I am manually searching each IP to send an abuse email for each host.

Is there a faster or even automated way of doing this?

[MattF]

I imagine you can do this pretty easy from the shell, ask your server admin to script you something.

I would tackle it something like this. First presuming you have collected the IPs into a simple text file call badips.txt

cat badips | uniq
removes duplicates

Then pipe this into something to lookup the IP:

#!/bin/bash

whoisServer="whois.arin.net"
while read badip; do
abuseEmail=$(whois -h$whoisServer $badip | awk '/^OrgAbuseEmail/ { print $2}' | sort | head -n1)
echo "$badip:$abuseEmail"
done


The awk matches line start with OrgAbuse and prints the second field collected, sort is quick hack to promote abuse@ to the top, head skims only the the top result. This is very rudimentary, you probably want to expand on this to check different whois server depending on the IPs etc..

Okay so chaining we have

cat badips | uniq | bash iplookup

Which yields
8.8.8.8:arin-contact@google.com
8.8.4.4:abuse@level3.com
...


Okay so now pipe this to something that can split by : and fire off your email template, you could probably one line with this with xargs -n1 and -I but probably cleaner to read to write another bash script (keeping with unix style of do one thing well)

So perhaps something like

#!/bin/bash

while read badLine; do
badIp=${badLine%%:*}
badEmail=${badLine##*:}
#im not testing this but you get the idea
mailx -s "IP: $badIp dos'ing me" $badEmail #see other man mail/mailx to include template etc.. I imagine you'll have to include attachment showing proof etc..
done;



Disclaimer: Dont copy and paste the above, as a whole solution it is untested (especially the mail script), but it should give you some ideas... If you have a server management company they are working in the shell daily so they should be able to script a more resilent and error-free version of the above relatively quickly

Good luck.

[Vex76]

Nice one MattF - I am going to try this too. Looks like it should work, with a little tweaking. Thanks!

[bottiger1]

So why don't some IPs have any abuse emails listed? How am I supposed to get the abuse email from these?

root@locahost:~$ whois -h "whois.arin.net" 199.15.251.1
#
# Query terms are ambiguous. The query is assumed to be:
# "n 199.15.251.1"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=19...se&ext=netref2
#

Reliable Hosting Services RELIABLE-HOSTING-NETWORK (NET-199-15-248-0-1) 199.15.248.0 - 199.15.255.255
Brdedicados BRD-NET (NET-199-15-251-0-1) 199.15.251.0 - 199.15.251.31


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#