From owner-freebsd-questions@FreeBSD.ORG Tue May 24 21:01:04 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92651106564A for ; Tue, 24 May 2011 21:01:04 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (mail1.sourcehosting.net [74.205.51.45]) by mx1.freebsd.org (Postfix) with ESMTP id 668C58FC0A for ; Tue, 24 May 2011 21:01:04 +0000 (UTC) Received: from 68-189-245-235.dhcp.oxfr.ma.charter.com ([68.189.245.235] helo=cube.entropy.prv) by mail1.sourcehosting.net with esmtp (Exim 4.73 (FreeBSD)) (envelope-from ) id 1QOyfn-000DL2-IH; Tue, 24 May 2011 16:57:57 -0400 Received: from v104.entropy.prv (v104.entropy.prv [192.168.1.104]) by cube.entropy.prv (Postfix) with ESMTP id 822104E6851D; Tue, 24 May 2011 17:00:57 -0400 (EDT) Message-ID: <4DDC1C89.1030706@FreeBSD.org> Date: Tue, 24 May 2011 17:00:57 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: Andy Wodfer References: <4DDC182F.1090404@FreeBSD.org> In-Reply-To: X-Enigmail-Version: 1.1.1 OpenPGP: id=1C940290 X-SA-Exim-Connect-IP: 68.189.245.235 X-SA-Exim-Mail-From: glarkin@FreeBSD.org X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail1.sourcehosting.net X-Spam-Level: *** X-Spam-Status: No, score=3.3 required=5.0 tests=AWL,BAYES_00,RCVD_IN_PBL, RCVD_IN_RP_RNBL, RCVD_IN_SORBS_DUL, RDNS_DYNAMIC, TVD_RCVD_IP autolearn=no version=3.3.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on mail1.sourcehosting.net) Cc: freebsd-questions Subject: Re: Urgent: Under attack - need tcpdrop help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2011 21:01:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 5/24/11 4:48 PM, Andy Wodfer wrote: > Thanks! > That would work on all my servers except this one .. which runs 6.3 STABLE > (due to some old services requiring old software). > > Any other suggestions? > > Thanks! > > Andy > Ok, here goes: netstat -an | grep ^tcp | grep -v LISTEN | awk '{ print $5 }' | egrep -v '^(172\.16|192\.168|127\.0)' | cut -f1-4 -d\. | awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 10) { print i; } } }' | xargs -n1 -I % sh -c 'sockstat -c | grep %' | awk '{ print $6 " " $7 }' | sed -e 's/:/ /g' -e 's/^/tcpdrop /' Paste that all on one line, and it should print (but not execute!) tcpdrop commands for IPs that have more than 10 connections to your server. The commands will work on 6.x and later versions of the OS, since it doesn't use "tcpdrop -l -a". If you like the output and want to actually run the tcpdrop commands, add "| sh" to the end of the pipeline. YMMV, because I didn't actually execute the commands. I just printed the tcpdrop commands, and they looked good. Good luck, Greg > > On Tue, May 24, 2011 at 10:42 PM, Greg Larkin wrote: > > On 5/24/11 4:29 PM, Andy Wodfer wrote: >>>> Hi, >>>> One of my FreeBSD servers is currently being attacked (DDOS) and I'm >>>> blocking IP addresses in my firewall. However, there are a large number > of >>>> hung tcp connections and I want them gone. >>>> >>>> Can anyone help me with a script (command line) that can read a netstat > -n >>>> and tcpdrop all IP addresses that has more than 10 connections or a more >>>> manual command where I can input an IP and it will drop all connections > from >>>> that IP regardless of port? >>>> >>>> Thanks in advance! >>>> >>>> Shell scripting isn't what I'm best at unfortunatly ... >>>> >>>> Andy > > Hi Andy, > > This will drop all connections to/from IP address 192.168.22.22: > > tcpdrop -l -a | grep 192.168.22.22 | sh > > Just substitute your desired IP address, and that will do the trick. > > Good luck, > Greg >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cHIkACgkQ0sRouByUApDFdQCgtAPatfLnJP7/r2d/OBhy/P9T VJsAn3mWXgqG4GTa9GzuUuH2pDm4JPbz =27Nl -----END PGP SIGNATURE-----