Urgent: Under attack - need tcpdrop help
Gary Gatten
Ggatten at waddell.com
Tue May 24 22:43:18 UTC 2011
FWIW:, you may also try "null routing" the suspicious / bad IP ranges vs. adding to firewall confs. Typically far less overhead, and perhaps "easier". YMMV.
G
-----Original Message-----
From: owner-freebsd-questions at freebsd.org [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Andy Wodfer
Sent: Tuesday, May 24, 2011 5:10 PM
To: glarkin at freebsd.org
Cc: freebsd-questions
Subject: Re: Urgent: Under attack - need tcpdrop help
Thanks a lot! That was very helpful!
Things have calmed down now.
However, I was surprised to see how quick the tcp connections came back in
netstat. Have to take a closer look at my firewall I guess.
Cheers!
Andy
On Tue, May 24, 2011 at 11:00 PM, Greg Larkin <glarkin at freebsd.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 5/24/11 4:48 PM, Andy Wodfer wrote:
> > Thanks!
> > That would work on all my servers except this one .. which runs 6.3
> STABLE
> > (due to some old services requiring old software).
> >
> > Any other suggestions?
> >
> > Thanks!
> >
> > Andy
> >
>
> Ok, here goes:
>
> netstat -an | grep ^tcp | grep -v LISTEN | awk '{ print $5 }' | egrep -v
> '^(172\.16|192\.168|127\.0)' | cut -f1-4 -d\. | awk '{ a[$1]++ } END {
> for (i in a) { if (a[i] > 10) { print i; } } }' | xargs -n1 -I % sh -c
> 'sockstat -c | grep %' | awk '{ print $6 " " $7 }' | sed -e 's/:/ /g' -e
> 's/^/tcpdrop /'
>
> Paste that all on one line, and it should print (but not execute!)
> tcpdrop commands for IPs that have more than 10 connections to your
> server. The commands will work on 6.x and later versions of the OS,
> since it doesn't use "tcpdrop -l -a".
>
> If you like the output and want to actually run the tcpdrop commands,
> add "| sh" to the end of the pipeline.
>
> YMMV, because I didn't actually execute the commands. I just printed the
> tcpdrop commands, and they looked good.
>
> Good luck,
> Greg
>
> >
> > On Tue, May 24, 2011 at 10:42 PM, Greg Larkin <glarkin at freebsd.org>
> wrote:
> >
> > On 5/24/11 4:29 PM, Andy Wodfer wrote:
> >>>> Hi,
> >>>> One of my FreeBSD servers is currently being attacked (DDOS) and I'm
> >>>> blocking IP addresses in my firewall. However, there are a large
> number
> > of
> >>>> hung tcp connections and I want them gone.
> >>>>
> >>>> Can anyone help me with a script (command line) that can read a
> netstat
> > -n
> >>>> and tcpdrop all IP addresses that has more than 10 connections or a
> more
> >>>> manual command where I can input an IP and it will drop all
> connections
> > from
> >>>> that IP regardless of port?
> >>>>
> >>>> Thanks in advance!
> >>>>
> >>>> Shell scripting isn't what I'm best at unfortunatly ...
> >>>>
> >>>> Andy
> >
> > Hi Andy,
> >
> > This will drop all connections to/from IP address 192.168.22.22:
> >
> > tcpdrop -l -a | grep 192.168.22.22 | sh
> >
> > Just substitute your desired IP address, and that will do the trick.
> >
> > Good luck,
> > Greg
> >>
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>
> - --
> Greg Larkin
>
> http://www.FreeBSD.org/ - The Power To Serve
> http://www.sourcehosting.net/ - Ready. Set. Code.
> http://twitter.com/cpucycle/ - Follow you, follow me
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk3cHIkACgkQ0sRouByUApDFdQCgtAPatfLnJP7/r2d/OBhy/P9T
> VJsAn3mWXgqG4GTa9GzuUuH2pDm4JPbz
> =27Nl
> -----END PGP SIGNATURE-----
>
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
More information about the freebsd-questions
mailing list