Hi List As a sys admin, depending on the scope of your responsibilities, it is sometimes necessary to diagnose DDoS - distributed denial of service - attacks and attempt resolve them.
This is a simple script I use to check apache logs for signs of website DDoS, [1]walk-through below: #!/bin/bash FILE=access_log; for ip in `cat $FILE |cut -d ' ' -f 1 |sort |uniq`; do { COUNT=`grep ^$ip $FILE |wc -l`; if [[ "$COUNT" -gt "10" ]]; then echo "$COUNT: $ip"; fi }; done Some general questions to discuss, I have reserved thoughts and knowledge, but would like to read other peoples comments too: What general growing problems do systems engineers face in the future? Will IPv6reduce DDoS attack success or enhance the attacker's tool kits? Can we reassure customers that they will not lose business to DDoS without investing large amounts capital in security technologies? What do you think? - is DDoS a global or local problem; or both? Is anyone able to share scripts like the one above? Damian [1] Simple script I use to check apache logs for signs of website DDoS walk-through (can be copied and pasted into a text file and renamed 'ddos_check.sh' then chmod +x ddos_check.sh): (invoke the bash interpreter) #!/bin/bash (access_log can be replaced with any apache log file name FILE=access_log; (cat concatenates the log file, then cut takes the first field - which is the hit IP address. This could be a visitor, bot or malicious IP. The IP addresses are sorted for clarity, only a unique is IP moved on for processing) for ip in `cat $FILE |cut -d ' ' -f 1 |sort |uniq`; (the variable COUNT is filled with the resulting IP address from the processed log file output and the number of IP instances calculated) do { COUNT=`grep ^$ip $FILE |wc -l`; (if the number of IP instances is over 10 - this will normally be set to 1000's - then the IP address and number of instances in the log file is printed to standard output) if [[ "$COUNT" -gt "10" ]]; then echo "$COUNT: $ip"; (end of script) fi }; done You can see IP's that are hammering your web-site:- use whois to glean more information, then check for repetition patterns. For Linux use firewall and/or tcpwrappers to block. -- Interlinux Engineering Foundation http://www.interlinux.org.uk Central, non-trading, administration, governance and dissemination of foundation intellectual property and know-how. GPG 8A7E551C
signature.asc
Description: This is a digitally signed message part
-- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------