From owner-freebsd-questions@FreeBSD.ORG Tue May 24 22:43:18 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C44A106564A; Tue, 24 May 2011 22:43:18 +0000 (UTC) (envelope-from Ggatten@waddell.com) Received: from mailhost0.waddell.com (mailhost0.waddell.com [67.130.252.61]) by mx1.freebsd.org (Postfix) with ESMTP id C95B28FC15; Tue, 24 May 2011 22:43:17 +0000 (UTC) Received: from mailhost3.waddell.com (mailhost3.waddell.com [10.1.10.28]) by mailhost0.waddell.com (Postfix) with ESMTP id 9813750863; Tue, 24 May 2011 17:12:09 -0500 (CDT) Received: from mailhost3.waddell.com (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 9391D3C32C; Tue, 24 May 2011 17:12:09 -0500 (CDT) Received: from WADPHTCAS0.waddell.com (wadphtcas0.waddell.com [192.168.203.229]) by mailhost3.waddell.com (Postfix) with ESMTP id 8813F3C307; Tue, 24 May 2011 17:12:09 -0500 (CDT) Received: from WADPMBXV0.waddell.com ([169.254.1.163]) by WADPHTCAS0.waddell.com ([192.168.203.229]) with mapi; Tue, 24 May 2011 17:12:09 -0500 From: Gary Gatten To: 'Andy Wodfer' , "glarkin@freebsd.org" Date: Tue, 24 May 2011 17:12:08 -0500 Thread-Topic: Urgent: Under attack - need tcpdrop help Thread-Index: AcwaX2bOybxc2KmcScuBPpSACVB2LgAAAt5Q Message-ID: <21118_1306275129_4DDC2D39_21118_3786_1_D9B37353831173459FDAA836D3B43499BF89C332@WADPMBXV0.waddell.com> References: <4DDC182F.1090404@FreeBSD.org> <4DDC1C89.1030706@FreeBSD.org> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: freebsd-questions Subject: RE: Urgent: Under attack - need tcpdrop help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2011 22:43:18 -0000 FWIW:, you may also try "null routing" the suspicious / bad IP ranges vs. a= dding to firewall confs. Typically far less overhead, and perhaps "easier"= . YMMV. G -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@f= reebsd.org] On Behalf Of Andy Wodfer Sent: Tuesday, May 24, 2011 5:10 PM To: glarkin@freebsd.org Cc: freebsd-questions Subject: Re: Urgent: Under attack - need tcpdrop help Thanks a lot! That was very helpful! Things have calmed down now. However, I was surprised to see how quick the tcp connections came back in netstat. Have to take a closer look at my firewall I guess. Cheers! Andy On Tue, May 24, 2011 at 11:00 PM, Greg Larkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 5/24/11 4:48 PM, Andy Wodfer wrote: > > Thanks! > > That would work on all my servers except this one .. which runs 6.3 > STABLE > > (due to some old services requiring old software). > > > > Any other suggestions? > > > > Thanks! > > > > Andy > > > > Ok, here goes: > > netstat -an | grep ^tcp | grep -v LISTEN | awk '{ print $5 }' | egrep -v > '^(172\.16|192\.168|127\.0)' | cut -f1-4 -d\. | awk '{ a[$1]++ } END { > for (i in a) { if (a[i] > 10) { print i; } } }' | xargs -n1 -I % sh -c > 'sockstat -c | grep %' | awk '{ print $6 " " $7 }' | sed -e 's/:/ /g' -e > 's/^/tcpdrop /' > > Paste that all on one line, and it should print (but not execute!) > tcpdrop commands for IPs that have more than 10 connections to your > server. The commands will work on 6.x and later versions of the OS, > since it doesn't use "tcpdrop -l -a". > > If you like the output and want to actually run the tcpdrop commands, > add "| sh" to the end of the pipeline. > > YMMV, because I didn't actually execute the commands. I just printed the > tcpdrop commands, and they looked good. > > Good luck, > Greg > > > > > On Tue, May 24, 2011 at 10:42 PM, Greg Larkin > wrote: > > > > On 5/24/11 4:29 PM, Andy Wodfer wrote: > >>>> Hi, > >>>> One of my FreeBSD servers is currently being attacked (DDOS) and I'm > >>>> blocking IP addresses in my firewall. However, there are a large > number > > of > >>>> hung tcp connections and I want them gone. > >>>> > >>>> Can anyone help me with a script (command line) that can read a > netstat > > -n > >>>> and tcpdrop all IP addresses that has more than 10 connections or a > more > >>>> manual command where I can input an IP and it will drop all > connections > > from > >>>> that IP regardless of port? > >>>> > >>>> Thanks in advance! > >>>> > >>>> Shell scripting isn't what I'm best at unfortunatly ... > >>>> > >>>> Andy > > > > Hi Andy, > > > > This will drop all connections to/from IP address 192.168.22.22: > > > > tcpdrop -l -a | grep 192.168.22.22 | sh > > > > Just substitute your desired IP address, and that will do the trick. > > > > Good luck, > > Greg > >> > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > > - -- > Greg Larkin > > http://www.FreeBSD.org/ - The Power To Serve > http://www.sourcehosting.net/ - Ready. Set. Code. > http://twitter.com/cpucycle/ - Follow you, follow me > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk3cHIkACgkQ0sRouByUApDFdQCgtAPatfLnJP7/r2d/OBhy/P9T > VJsAn3mWXgqG4GTa9GzuUuH2pDm4JPbz > =3D27Nl > -----END PGP SIGNATURE----- > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."