Created
July 10, 2014 02:45
-
-
Save anonymous/1e2dd5607c823313af7e to your computer and use it in GitHub Desktop.
How to stop primitive layer7 DDoS (e.g., http request "GET /"). Don't run this directly; read the comments.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # in one window, get the offenders (change grep filter to whatever's most accurate) | |
| sudo tail -f /var/log/nginx/access.log | grep GET./ | awk '{print }' | tee sample | |
| # in the other, have a look at the worst with this: | |
| sort sample | uniq -c | sort -n | tail -n 50 | |
| # and then ban them | |
| sort sample | uniq -c | sort -n | awk '{print }' | tail -n 50 | xargs -i echo {} tcp http | sudo tee -a /etc/shorewall/blacklist | |
| # restart shorewall, then nginx to clear up latent connections | |
| # Then, restart the sampler to get a new batch. | |
| # to unban those that stop spamming (i.e., probably true users) | |
| sudo shorewall show | sed -nr 's/^ *0 +0 +DROP +tcp[^0-9]+([0-9.]+) +0.0.0.0\/0 +tcp dpt:80/\0/p' # lists the full lines | |
| sudo shorewall show | sed -nr 's/^ *0 +0 +DROP +tcp[^0-9]+([0-9.]+) +0.0.0.0\/0 +tcp dpt:80/\1/p' # just the ips to run sed on blacklist with | |
| sudo shorewall show | sed -nr 's/^ *0 +0 +DROP +tcp[^0-9]+([0-9.]+) +0.0.0.0\/0 +tcp dpt:80/\1/p' | sudo xargs -i sed -i /^{}/d /etc/shorewall/blacklist # remove them from blacklist |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment