From owner-freebsd-questions@FreeBSD.ORG Tue May 24 20:42:29 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99E921065670 for ; Tue, 24 May 2011 20:42:29 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (mail1.sourcehosting.net [74.205.51.45]) by mx1.freebsd.org (Postfix) with ESMTP id 7027A8FC12 for ; Tue, 24 May 2011 20:42:29 +0000 (UTC) Received: from 68-189-245-235.dhcp.oxfr.ma.charter.com ([68.189.245.235] helo=cube.entropy.prv) by mail1.sourcehosting.net with esmtp (Exim 4.73 (FreeBSD)) (envelope-from ) id 1QOyNp-000DEk-Va; Tue, 24 May 2011 16:39:22 -0400 Received: from v104.entropy.prv (v104.entropy.prv [192.168.1.104]) by cube.entropy.prv (Postfix) with ESMTP id EA1D04E68313; Tue, 24 May 2011 16:42:23 -0400 (EDT) Message-ID: <4DDC182F.1090404@FreeBSD.org> Date: Tue, 24 May 2011 16:42:23 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: Andy Wodfer References: In-Reply-To: X-Enigmail-Version: 1.1.1 OpenPGP: id=1C940290 X-SA-Exim-Connect-IP: 68.189.245.235 X-SA-Exim-Mail-From: glarkin@FreeBSD.org X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail1.sourcehosting.net X-Spam-Level: *** X-Spam-Status: No, score=3.5 required=5.0 tests=AWL,BAYES_00,RCVD_IN_PBL, RCVD_IN_RP_RNBL, RCVD_IN_SORBS_DUL, RDNS_DYNAMIC, TVD_RCVD_IP autolearn=no version=3.3.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on mail1.sourcehosting.net) Cc: freebsd-questions Subject: Re: Urgent: Under attack - need tcpdrop help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2011 20:42:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 5/24/11 4:29 PM, Andy Wodfer wrote: > Hi, > One of my FreeBSD servers is currently being attacked (DDOS) and I'm > blocking IP addresses in my firewall. However, there are a large number of > hung tcp connections and I want them gone. > > Can anyone help me with a script (command line) that can read a netstat -n > and tcpdrop all IP addresses that has more than 10 connections or a more > manual command where I can input an IP and it will drop all connections from > that IP regardless of port? > > Thanks in advance! > > Shell scripting isn't what I'm best at unfortunatly ... > > Andy Hi Andy, This will drop all connections to/from IP address 192.168.22.22: tcpdrop -l -a | grep 192.168.22.22 | sh Just substitute your desired IP address, and that will do the trick. Good luck, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cGC8ACgkQ0sRouByUApBlvACfaOneJdIQGiNNo2FYbKJx3EI8 w58AniK6ZolieHscRFWleR1CoofAtGe8 =03TM -----END PGP SIGNATURE-----