Date: Wed, 25 May 2011 15:59:30 +0200 From: Damien Fleuriot <ml@my.gd> To: freebsd-questions@freebsd.org Subject: Re: Urgent: Under attack - need tcpdrop help Message-ID: <4DDD0B42.7070305@my.gd> In-Reply-To: <BANLkTikGjnh-cfO_dtk=jf6ZVNiY=x8nqw@mail.gmail.com> References: <BANLkTikGjnh-cfO_dtk=jf6ZVNiY=x8nqw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/24/11 10:29 PM, Andy Wodfer wrote: > Hi, > One of my FreeBSD servers is currently being attacked (DDOS) and I'm > blocking IP addresses in my firewall. However, there are a large number of > hung tcp connections and I want them gone. > > Can anyone help me with a script (command line) that can read a netstat -n > and tcpdrop all IP addresses that has more than 10 connections or a more > manual command where I can input an IP and it will drop all connections from > that IP regardless of port? > > Thanks in advance! > > Shell scripting isn't what I'm best at unfortunatly ... > > Andy > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" Basically, if the attacker is sending spoofed TCP packets, it leaves your box expecting the rest of the TCP handshake, which will never arrive. Firewalling these will not work because you'd be blocking possibly thousands of spoofed addresses, and you'll fill your firewall's tables. Your upstream network provider should be equipped with anti DDOS hardware and your best move is to actually contact their NOC to have some mitigation measures put in place. What firewall are you running on the 6.3 box ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DDD0B42.7070305>