From owner-freebsd-questions@FreeBSD.ORG Tue May 24 22:09:39 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 268491065674 for ; Tue, 24 May 2011 22:09:39 +0000 (UTC) (envelope-from wodfer@gmail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id D296C8FC17 for ; Tue, 24 May 2011 22:09:38 +0000 (UTC) Received: by gwb15 with SMTP id 15so3598186gwb.13 for ; Tue, 24 May 2011 15:09:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=2nWhEBmYPFLb2TPI1IH9ecCEJhEaVh6dPuLIJA0lVok=; b=Up9NFydytK04sCQbgu6TzsLqFCWBiTpNMuNuGs2nBT06qUrEHBcaElSU+x5B5y6w6w B/UXIWek2HM3j8UOZT+NPBw4gGW6UUQpERAyUp+QjzoIf4pgiTs/3NtWC/7PIp5D9Qpi 3whk9oswS6xWbgevGiy3dcKJU3drH2KP6RieU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Da1uSeBkFxyCI0t1qDnqU72AYzppAWpGxMcZCvLv+ekyRBdSCUhZT67WGd1EC/qxtW r+U22b90tIVfgQKsl39riJugZZf7tGBd/1HvLpaNw729BARQWi+/7LUt7SQ3K6Dhw33I RFEHJxh9slcxUG/lgZn+wiFq5BrvWbJR5BqRQ= MIME-Version: 1.0 Received: by 10.90.158.9 with SMTP id g9mr4772169age.170.1306274976148; Tue, 24 May 2011 15:09:36 -0700 (PDT) Received: by 10.90.50.12 with HTTP; Tue, 24 May 2011 15:09:36 -0700 (PDT) In-Reply-To: <4DDC1C89.1030706@FreeBSD.org> References: <4DDC182F.1090404@FreeBSD.org> <4DDC1C89.1030706@FreeBSD.org> Date: Wed, 25 May 2011 00:09:36 +0200 Message-ID: From: Andy Wodfer To: glarkin@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions Subject: Re: Urgent: Under attack - need tcpdrop help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2011 22:09:39 -0000 Thanks a lot! That was very helpful! Things have calmed down now. However, I was surprised to see how quick the tcp connections came back in netstat. Have to take a closer look at my firewall I guess. Cheers! Andy On Tue, May 24, 2011 at 11:00 PM, Greg Larkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 5/24/11 4:48 PM, Andy Wodfer wrote: > > Thanks! > > That would work on all my servers except this one .. which runs 6.3 > STABLE > > (due to some old services requiring old software). > > > > Any other suggestions? > > > > Thanks! > > > > Andy > > > > Ok, here goes: > > netstat -an | grep ^tcp | grep -v LISTEN | awk '{ print $5 }' | egrep -v > '^(172\.16|192\.168|127\.0)' | cut -f1-4 -d\. | awk '{ a[$1]++ } END { > for (i in a) { if (a[i] > 10) { print i; } } }' | xargs -n1 -I % sh -c > 'sockstat -c | grep %' | awk '{ print $6 " " $7 }' | sed -e 's/:/ /g' -e > 's/^/tcpdrop /' > > Paste that all on one line, and it should print (but not execute!) > tcpdrop commands for IPs that have more than 10 connections to your > server. The commands will work on 6.x and later versions of the OS, > since it doesn't use "tcpdrop -l -a". > > If you like the output and want to actually run the tcpdrop commands, > add "| sh" to the end of the pipeline. > > YMMV, because I didn't actually execute the commands. I just printed the > tcpdrop commands, and they looked good. > > Good luck, > Greg > > > > > On Tue, May 24, 2011 at 10:42 PM, Greg Larkin > wrote: > > > > On 5/24/11 4:29 PM, Andy Wodfer wrote: > >>>> Hi, > >>>> One of my FreeBSD servers is currently being attacked (DDOS) and I'm > >>>> blocking IP addresses in my firewall. However, there are a large > number > > of > >>>> hung tcp connections and I want them gone. > >>>> > >>>> Can anyone help me with a script (command line) that can read a > netstat > > -n > >>>> and tcpdrop all IP addresses that has more than 10 connections or a > more > >>>> manual command where I can input an IP and it will drop all > connections > > from > >>>> that IP regardless of port? > >>>> > >>>> Thanks in advance! > >>>> > >>>> Shell scripting isn't what I'm best at unfortunatly ... > >>>> > >>>> Andy > > > > Hi Andy, > > > > This will drop all connections to/from IP address 192.168.22.22: > > > > tcpdrop -l -a | grep 192.168.22.22 | sh > > > > Just substitute your desired IP address, and that will do the trick. > > > > Good luck, > > Greg > >> > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > > - -- > Greg Larkin > > http://www.FreeBSD.org/ - The Power To Serve > http://www.sourcehosting.net/ - Ready. Set. Code. > http://twitter.com/cpucycle/ - Follow you, follow me > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk3cHIkACgkQ0sRouByUApDFdQCgtAPatfLnJP7/r2d/OBhy/P9T > VJsAn3mWXgqG4GTa9GzuUuH2pDm4JPbz > =27Nl > -----END PGP SIGNATURE----- >