Created
October 29, 2011 13:43
-
-
Save felixge/1324470 to your computer and use it in GitHub Desktop.
Bash stuff for fighting a weak DOS attack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Here a few bash one-liners that helped me analyze / fight a weak DOS attack against debuggable.com. Mostly for future reference. | |
| # The attacker was opening lots of tcp connections without sending data, I believe it's called a SYN flood, see: http://tools.ietf.org/html/rfc4987#section-3.2 | |
| # Step 0: Check what is going on at port 80 | |
| $ netstat -tan | grep ':80 ' | awk '{print $6}' | sort | uniq -c | |
| # Step 1: Increase the number of available fds | |
| $ ulimit -n 32000 | |
| # Step 2: Restart your webserver, for me: | |
| $ /etc/init.d/lighttpd restart | |
| # Step 3: List the number of connections per attacking machine: | |
| $ netstat -ntu | tail -n +3 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | |
| # Step 4: Whois the IP's you got from step 3 to find out where the attacking machines are (just for fun) | |
| $ whois <ip> | |
| # Step 5: If you want to limit the http connections / host to 20, do this. See: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ | |
| $ iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment