From owner-freebsd-questions@FreeBSD.ORG Wed May 25 13:59:34 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9787C106566B for ; Wed, 25 May 2011 13:59:34 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id 3146E8FC1B for ; Wed, 25 May 2011 13:59:33 +0000 (UTC) Received: by wwk4 with SMTP id 4so3475937wwk.1 for ; Wed, 25 May 2011 06:59:33 -0700 (PDT) Received: by 10.227.24.8 with SMTP id t8mr4743662wbb.0.1306331973035; Wed, 25 May 2011 06:59:33 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id ex2sm390273wbb.5.2011.05.25.06.59.31 (version=SSLv3 cipher=OTHER); Wed, 25 May 2011 06:59:32 -0700 (PDT) Message-ID: <4DDD0B42.7070305@my.gd> Date: Wed, 25 May 2011 15:59:30 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Urgent: Under attack - need tcpdrop help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2011 13:59:34 -0000 On 5/24/11 10:29 PM, Andy Wodfer wrote: > Hi, > One of my FreeBSD servers is currently being attacked (DDOS) and I'm > blocking IP addresses in my firewall. However, there are a large number of > hung tcp connections and I want them gone. > > Can anyone help me with a script (command line) that can read a netstat -n > and tcpdrop all IP addresses that has more than 10 connections or a more > manual command where I can input an IP and it will drop all connections from > that IP regardless of port? > > Thanks in advance! > > Shell scripting isn't what I'm best at unfortunatly ... > > Andy > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" Basically, if the attacker is sending spoofed TCP packets, it leaves your box expecting the rest of the TCP handshake, which will never arrive. Firewalling these will not work because you'd be blocking possibly thousands of spoofed addresses, and you'll fill your firewall's tables. Your upstream network provider should be equipped with anti DDOS hardware and your best move is to actually contact their NOC to have some mitigation measures put in place. What firewall are you running on the 6.3 box ?