From owner-freebsd-questions@FreeBSD.ORG  Tue May 24 20:29:48 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 293791065670
	for <freebsd-questions@freebsd.org>;
	Tue, 24 May 2011 20:29:48 +0000 (UTC)
	(envelope-from wodfer@gmail.com)
Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54])
	by mx1.freebsd.org (Postfix) with ESMTP id DCDD58FC1D
	for <freebsd-questions@freebsd.org>;
	Tue, 24 May 2011 20:29:47 +0000 (UTC)
Received: by gwb15 with SMTP id 15so3550263gwb.13
	for <freebsd-questions@freebsd.org>;
	Tue, 24 May 2011 13:29:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:date:message-id:subject:from:to
	:content-type; bh=TVxofZLQC5S/vzzXkLBZwofCf++/vE9LJSIRRRyeVdc=;
	b=Oy5Yc7GMNBfD4vRsT6JJDcyv5A0yNyewcHq5AcjGmbIJvK7wLai/t+gtuTjq6PK8q/
	mY1PsBOjBYoxxDzPVG/h2urpNJGfP6ELVh3PBk0BZNMnfSY50ICgkgVfKtvVu0aEpgt9
	uh28EvewhSn07mKh1LRMIE466UD5mGBhsqdmM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=P2wf2Ont6505q4J7je6CbZ5bxyokq320O//haf0G9sM828RTJwFdrm/XwYoBaebvLl
	SrVqHFcIDtJvEqkUZXBWwwdLIYW2tZrkqfAMKnkUx8498Rtdkg97M+NDxhoEVSAjjOxO
	xwi/72T4USqL5JE+zoz6GKAjvc0CiqC5/2Fdw=
MIME-Version: 1.0
Received: by 10.91.12.6 with SMTP id p6mr4630525agi.197.1306268987052; Tue, 24
	May 2011 13:29:47 -0700 (PDT)
Received: by 10.90.50.12 with HTTP; Tue, 24 May 2011 13:29:47 -0700 (PDT)
Date: Tue, 24 May 2011 22:29:47 +0200
Message-ID: <BANLkTikGjnh-cfO_dtk=jf6ZVNiY=x8nqw@mail.gmail.com>
From: Andy Wodfer <wodfer@gmail.com>
To: freebsd-questions <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Urgent: Under attack - need tcpdrop help
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2011 20:29:48 -0000

Hi,
One of my FreeBSD servers is currently being attacked (DDOS) and I'm
blocking IP addresses in my firewall. However, there are a large number of
hung tcp connections and I want them gone.

Can anyone help me with a script (command line) that can read a netstat -n
and tcpdrop all IP addresses that has more than 10 connections or a more
manual command where I can input an IP and it will drop all connections from
that IP regardless of port?

Thanks in advance!

Shell scripting isn't what I'm best at unfortunatly ...

Andy