hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : Automatic reporting of DDoS attacks?
Reply

Forum Jump

Automatic reporting of DDoS attacks?

Reply Post New Thread In Dedicated Server Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
WHT Addict
 
Join Date: Aug 2007
Posts: 118

Automatic reporting of DDoS attacks?


I have a list of IPs that have attacked my server with a reflective DDoS attack.

I am manually searching each IP to send an abuse email for each host.

Is there a faster or even automated way of doing this?



Sponsored Links
  #2  
Old
Web Hosting Master
 
Join Date: Nov 2000
Location: Thailand
Posts: 3,339
I imagine you can do this pretty easy from the shell, ask your server admin to script you something.

I would tackle it something like this. First presuming you have collected the IPs into a simple text file call badips.txt

cat badips | uniq
removes duplicates

Then pipe this into something to lookup the IP:

#!/bin/bash

whoisServer="whois.arin.net"
while read badip; do
abuseEmail=$(whois -h$whoisServer $badip | awk '/^OrgAbuseEmail/ { print $2}' | sort | head -n1)
echo "$badip:$abuseEmail"
done


The awk matches line start with OrgAbuse and prints the second field collected, sort is quick hack to promote abuse@ to the top, head skims only the the top result. This is very rudimentary, you probably want to expand on this to check different whois server depending on the IPs etc..

Okay so chaining we have

cat badips | uniq | bash iplookup


Which yields
8.8.8.8:arin-contact@google.com
8.8.4.4:abuse@level3.com
...


Okay so now pipe this to something that can split by : and fire off your email template, you could probably one line with this with xargs -n1 and -I but probably cleaner to read to write another bash script (keeping with unix style of do one thing well)

So perhaps something like

#!/bin/bash

while read badLine; do
badIp=${badLine%%:*}
badEmail=${badLine##*:}
#im not testing this but you get the idea
mailx -s "IP: $badIp dos'ing me" $badEmail #see other man mail/mailx to include template etc.. I imagine you'll have to include attachment showing proof etc..
done;



Disclaimer: Dont copy and paste the above, as a whole solution it is untested (especially the mail script), but it should give you some ideas... If you have a server management company they are working in the shell daily so they should be able to script a more resilent and error-free version of the above relatively quickly

Good luck.

__________________
Reassuringly cynical and controversial - Twitter: @nonuby


Last edited by MattF; 06-04-2012 at 01:30 AM.
  #3  
Old
Disabled
 
Join Date: Mar 2007
Posts: 363
Nice one MattF - I am going to try this too. Looks like it should work, with a little tweaking. Thanks!

Sponsored Links
  #4  
Old
Junior Guru Wannabe
 
Join Date: Oct 2011
Posts: 48
So why don't some IPs have any abuse emails listed? How am I supposed to get the abuse email from these?

root@locahost:~$ whois -h "whois.arin.net" 199.15.251.1
#
# Query terms are ambiguous. The query is assumed to be:
# "n 199.15.251.1"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=19...se&ext=netref2
#

Reliable Hosting Services RELIABLE-HOSTING-NETWORK (NET-199-15-248-0-1) 199.15.248.0 - 199.15.255.255
Brdedicados BRD-NET (NET-199-15-251-0-1) 199.15.251.0 - 199.15.251.31


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Automatic Abuse Reporting Script for Web Hosts Squidix - SamBarrow Hosting Security and Technology 2 02-21-2011 01:59 AM
Ddos Management | Handle most ddos attacks on server level | save hundreds! jon-f Systems Management Offers 0 10-03-2010 12:39 PM
Got DDoS? BLCC DDoS Protection sale! Stop HTTP GET attacks in their tracks! ddosguru Dedicated Hosting Offers 7 01-17-2007 12:49 PM
Apple attacks bloggers for reporting on iphone skins/ Techno Web Hosting Lounge 6 01-16-2007 04:29 AM
Reporting Brute Force Attacks To Hosts logo-one Running a Web Hosting Business 5 06-20-2005 03:22 AM

Related posts from TheWhir.com
Title Type Date Posted
How Prepared are You for the Changing DDoS Landscape? Here’s 5 Must-Knows for Every Service Provider Webinars 2014-11-13 15:53:36
Large Volume DDoS Attacks See Exceptional Growth in First Half of 2014: Arbor Networks Web Hosting News 2014-07-18 13:48:25
DDoS Protection for Hosting Providers - Expand Your Cloud Offering and Protect Your Services Webinars 2014-06-13 10:11:16
The Cloud Is Under Siege; How Can I Protect It From DDoS Attacks? Webinars 2014-06-10 10:55:46
Arbor Networks Reports Alarming Increases in DDoS Attack Size in 2013 Web Hosting News 2013-10-17 13:40:25


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?