Urgent: Under attack - need tcpdrop help

Andy Wodfer wodfer at gmail.com
Tue May 24 22:09:39 UTC 2011


Thanks a lot! That was very helpful!

Things have calmed down now.

However, I was surprised to see how quick the tcp connections came back in
netstat. Have to take a closer look at my firewall I guess.

Cheers!
Andy

On Tue, May 24, 2011 at 11:00 PM, Greg Larkin <glarkin at freebsd.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 5/24/11 4:48 PM, Andy Wodfer wrote:
> > Thanks!
> > That would work on all my servers except this one .. which runs 6.3
> STABLE
> > (due to some old services requiring old software).
> >
> > Any other suggestions?
> >
> > Thanks!
> >
> > Andy
> >
>
> Ok, here goes:
>
> netstat -an | grep ^tcp | grep -v LISTEN | awk '{ print $5 }' | egrep -v
> '^(172\.16|192\.168|127\.0)' | cut -f1-4 -d\. | awk '{ a[$1]++ } END {
> for (i in a) { if (a[i] > 10) { print i; } } }' | xargs -n1 -I % sh -c
> 'sockstat -c | grep %' | awk '{ print $6 " " $7 }' | sed -e 's/:/ /g' -e
> 's/^/tcpdrop /'
>
> Paste that all on one line, and it should print (but not execute!)
> tcpdrop commands for IPs that have more than 10 connections to your
> server.  The commands will work on 6.x and later versions of the OS,
> since it doesn't use "tcpdrop -l -a".
>
> If you like the output and want to actually run the tcpdrop commands,
> add "| sh" to the end of the pipeline.
>
> YMMV, because I didn't actually execute the commands. I just printed the
> tcpdrop commands, and they looked good.
>
> Good luck,
> Greg
>
> >
> > On Tue, May 24, 2011 at 10:42 PM, Greg Larkin <glarkin at freebsd.org>
> wrote:
> >
> > On 5/24/11 4:29 PM, Andy Wodfer wrote:
> >>>> Hi,
> >>>> One of my FreeBSD servers is currently being attacked (DDOS) and I'm
> >>>> blocking IP addresses in my firewall. However, there are a large
> number
> > of
> >>>> hung tcp connections and I want them gone.
> >>>>
> >>>> Can anyone help me with a script (command line) that can read a
> netstat
> > -n
> >>>> and tcpdrop all IP addresses that has more than 10 connections or a
> more
> >>>> manual command where I can input an IP and it will drop all
> connections
> > from
> >>>> that IP regardless of port?
> >>>>
> >>>> Thanks in advance!
> >>>>
> >>>> Shell scripting isn't what I'm best at unfortunatly ...
> >>>>
> >>>> Andy
> >
> > Hi Andy,
> >
> > This will drop all connections to/from IP address 192.168.22.22:
> >
> > tcpdrop -l -a | grep 192.168.22.22 | sh
> >
> > Just substitute your desired IP address, and that will do the trick.
> >
> > Good luck,
> > Greg
> >>
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>
> - --
> Greg Larkin
>
> http://www.FreeBSD.org/           - The Power To Serve
> http://www.sourcehosting.net/     - Ready. Set. Code.
> http://twitter.com/cpucycle/      - Follow you, follow me
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk3cHIkACgkQ0sRouByUApDFdQCgtAPatfLnJP7/r2d/OBhy/P9T
> VJsAn3mWXgqG4GTa9GzuUuH2pDm4JPbz
> =27Nl
> -----END PGP SIGNATURE-----
>


More information about the freebsd-questions mailing list