Results 1 to 8 of 8
  1. #1

    OK/possible to ban users with empty IPs?

    Some bot(s) without a reported IP address seems to be making 60 - 500 connections to my server constantly even though there are usually only a few real users connected.
    Does some search engines/some legit proxy users have no reported/hidden IP address?
    Am I even able to ban an empty IP with iptables?

  2. #2
    Join Date
    Nov 2005
    Posts
    352
    What do you mean by "empty IP?" Every machine on the internet has an IP address, otherwise they would not be able to get to your server. Where are these "empty IPs" being logged?

  3. #3
    well I guess there's just a problem with CentOS 5 when you use this command: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr # It seems to say that an empty IP has many connnections and a ddos script I used was banning connection counts instead of a real IP because of that bug. So it is impossible to hide your IP from netstat?

  4. #4
    Join Date
    Jun 2002
    Posts
    1,376
    Yeah, it makes no sense that they'd have no IP.

    Have you just run "netstat -ntu" by hand, maybe piping it through less, to find the 'offending' IPs by hand, and banning those?

  5. #5
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Your command line is just off. You aren't breaking up the fields (separated by white space and also colons) properly. As others said, there's no such thing as an empty IP. By the way, running a command to block automatically, when the fields are off, could spell a major problem if you don't know what the commands are doing and you aren't doing some double checking and sanity checks to ensure you're only capturing and blocking the IPs. Otherwise you will end up blocking an empty IP and you'll block 0.0.0.0 (everyone, including yourself).

  6. #6
    well that command is from the 3rd party (d)dos deflate script. I don't know enough about shell scripting to improve it so if you have a way to fix it, please do. However I made a fix to that script so that it no longer bans that weird non-IP number. It also has 0.0.0.0 in the ignore list so that it shouldn't get banned.

  7. #7
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Well, I'm not very familiar with that tool (I have my own solutions for the problem), but from what I'm seeing, it's likely picking up the header, as well as any IPv6 output:

    I.e., the this it output and likely picked up:

    ]$ netstat -u
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State

    This will output the result:

    (empty) 2
    (header) 1 servers)
    (header) 1 Address

    In your list.

    You can get real lines for tcp and udp by adding egrep ^'tcp|upd' (starts with udp or tcp). If you just want to check tcp connections, set it to grep ^tcp

    The other issue (the blank/empty) fields are likely from ipv6:

    tcp 0 0 ::ffff:xxx.xxx.xxx.xxx:22 ::ffff:xxx.xxx.xxx.xxx:34629 ESTABLISHED
    tcp 0 5275 ::ffff:xx.xx.xxx.xx:22 ::ffff:xx.xxx.xx.xx:22442 ESTABLISHED

    For example. The 5th field is thus ::ffff:IP.HERE:PORT You are taking the first field (with a : delimiter) from that 5th field, and the first field of ::ffff:IP.HERE:PORT would be found between the first ::, which is empty. The second field cut -d: -f2 is ffff, and the 3rd is the IP you want.

    A quick way to overcome that is to use sed to remove any variable that doesn't change (like ::ffff:), so the full example to just get the connecting IPs for udp and tcp only, no header, for both ipv4 and ipv6, would be:

    netstat -ntu | egrep ^'tcp|upd' | awk '{print $5}' | sed 's/::ffff://g' | cut -d: -f1 | sort | uniq -c| sort -nr

    That's just an example and you might need to tweak it a little, but that's the idea. There are other ways to do this command and other ways to accomplish this same goal, but that's a quick example of what might work for you.

  8. #8
    The results look fine but extremely different when compared with the results of the command line I pasted here. "My" command seems to report a lot less IPs everytime, why is that?

    I'm curious, what are you using for dos mitigation then?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •