Hi List As a sys admin, depending on the scope of your responsibilities, it is sometimes necessary to diagnose DDoS - distributed denial of service - attacks and attempt resolve them.
This is a simple script I use to check apache logs for signs of website
DDoS, [1]walk-through below:
#!/bin/bash
FILE=access_log;
for ip in `cat $FILE |cut -d ' ' -f 1 |sort |uniq`;
do { COUNT=`grep ^$ip $FILE |wc -l`;
if [[ "$COUNT" -gt "10" ]]; then echo "$COUNT: $ip";
fi }; done
Some general questions to discuss, I have reserved thoughts and
knowledge, but would like to read other peoples comments too:
What general growing problems do systems engineers face in the future?
Will IPv6reduce DDoS attack success or enhance the attacker's tool kits?
Can we reassure customers that they will not lose business to DDoS
without investing large amounts capital in security technologies?
What do you think? - is DDoS a global or local problem; or both?
Is anyone able to share scripts like the one above?
Damian
[1] Simple script I use to check apache logs for signs of website DDoS
walk-through (can be copied and pasted into a text file and renamed
'ddos_check.sh' then chmod +x ddos_check.sh):
(invoke the bash interpreter)
#!/bin/bash
(access_log can be replaced with any apache log file name
FILE=access_log;
(cat concatenates the log file, then cut takes the first field - which
is the hit IP address. This could be a visitor, bot or malicious IP. The
IP addresses are sorted for clarity, only a unique is IP moved on for
processing)
for ip in `cat $FILE |cut -d ' ' -f 1 |sort |uniq`;
(the variable COUNT is filled with the resulting IP address from the
processed log file output and the number of IP instances calculated)
do { COUNT=`grep ^$ip $FILE |wc -l`;
(if the number of IP instances is over 10 - this will normally be set to
1000's - then the IP address and number of instances in the log file is
printed to standard output)
if [[ "$COUNT" -gt "10" ]]; then echo "$COUNT: $ip";
(end of script)
fi }; done
You can see IP's that are hammering your web-site:- use whois to glean
more information, then check for repetition patterns. For Linux use
firewall and/or tcpwrappers to block.
--
Interlinux Engineering Foundation http://www.interlinux.org.uk
Central, non-trading, administration, governance and dissemination of
foundation intellectual property and know-how.
GPG 8A7E551C
signature.asc
Description: This is a digitally signed message part
-- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------
