LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-28-2009, 11:26 AM   #1
ndduy
LQ Newbie
 
Registered: Nov 2009
Posts: 3

Rep: Reputation: 0
Help me. My server is attacked DDoS


I want to write a Script, it use to ati DDoS but i'm a newbie i can't do it.
I have a log file www.mediafire.com/?yz2njlm0kzj . I want to read a DDos's IP address from log file, after that i want to add that IP to Firewall . I can do it by handicraft but i want a script, it can autorun every 5 min on my server.

Thank .
 
Old 11-28-2009, 01:22 PM   #2
junust
Member
 
Registered: Jul 2008
Location: Israel Ramat Gan
Distribution: CentOs 5.3, SuSe 11.1, Solaris 9, Slackware 13
Posts: 78

Rep: Reputation: 15
Hi men,
Do you realy want us to undestand what you want to do?

what script you want to write? do you want to block ip apdress which is trying to atack you ?
 
Old 11-28-2009, 01:40 PM   #3
JK3mp
Member
 
Registered: May 2009
Distribution: Slackware 13.0
Posts: 30

Rep: Reputation: 15
I believe Iptable+Ipchains can do this on its own if properly configured. The only true way to negate DDos attacks are to have an external firewall to filter to stop the packets before reaching the target machine.
 
Old 11-28-2009, 05:19 PM   #4
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES11 / FC20/ OES / CentOS
Posts: 606

Rep: Reputation: 32
you could use somthing like that:

http://www.pettingers.org/code/sshblack.html

or you could tell iptables to let a client only connect to the server 5 time in a second.

Syn-flood protection:

# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

Ok, that should help, if you edit it.
 
Old 11-28-2009, 06:10 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by saavik View Post
or you could tell iptables to let a client only connect to the server 5 time in a second.

Syn-flood protection:

# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

Ok, that should help, if you edit it.
That's not SYN flood protection. In fact, that rule just makes you even more vulnerable. You might wanna look into TCP SYN cookies and the iptables recent module. That said, even though I haven't seen the log file yet, nothing in the OP mentions a SYN flood (which BTW uses IP spoofing, making DDoS unnecessary).

Last edited by win32sux; 11-28-2009 at 06:14 PM.
 
Old 11-28-2009, 06:46 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Here's a copy of the log file snippet, in order to make things simpler:
Code:
Oct 25 11:08:41 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:16436366363@222.255.236.134 ; IP=118.68.249.236 ; ID=e378ead83d794dfa821b40553f113baa 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7026]: radius_www_authorize failed ; M=REGISTER ; F=sip:6959754527@sip04.worldfone.com.vn:5080 ; T=sip:6959754527@sip04.worldfone.com.vn:5080 ; IP=123.19.209.34 ; ID=ddb0f195-baee-1810-9ef6-00138fa3fcf2@192.168.1.2 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:15363737373@222.255.236.134 ; IP=118.68.249.236 ; ID=315c9b96237240e69c056456b0996f1e 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1536376373@222.255.236.134 ; IP=118.68.249.236 ; ID=49c2d380ee6744b68f7d00cb6e745648 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:25252525522@222.255.236.134 ; IP=118.68.249.236 ; ID=1491eed6cfd94f1cb92a0d3d56a9d0f0 

Oct 25 11:08:41 sip rtpproxy[19983]: INFO:handle_command: delete request failed: session 89ecd5cc-b5ff-1810-9e39-002100248849@192.168.1.109, tags edecd5cc-b5ff-1810-9e39-002100248849/E688364-458 not found

Oct 25 11:08:41 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1537373737@222.255.236.134 ; IP=118.68.249.236 ; ID=839f4e3fd0ed432897bb5857dbbd289d 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:16363737377@222.255.236.134 ; IP=118.68.249.236 ; ID=d89f3851ce4d4508a049bd5a4e6e70a2 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7015]: radius_www_authorize failed ; M=REGISTER ; F=sip:697891317686@sip.worldfone.com.vn ; T=sip:697891317686@sip.worldfone.com.vn ; IP=222.254.192.230 ; ID=pPEqb9G1OodGQezb@192.168.1.4 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1537388383@222.255.236.134 ; IP=118.68.249.236 ; ID=d5cd7cdb3db0474abd109bc6f32cb1e6 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7028]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:157637373737@222.255.236.134 ; IP=118.68.249.236 ; ID=9bc0bea3d677469c94db2e6762d5acef 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:21314134314134@222.255.236.134 ; IP=118.68.249.236 ; ID=ac4fba3e703d46e7b6fe63cd4077f91e 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:123434234242@222.255.236.134 ; IP=118.68.249.236 ; ID=ed463190eada4451ac03b3896705c6f9 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7028]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:2134323445@222.255.236.134 ; IP=118.68.249.236 ; ID=737eb09dc6784644ae1b262b0f2976a7 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7028]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:123214313413523@222.255.236.134 ; IP=118.68.249.236 ; ID=89ac6c34a98249f0945ddfa2655691ad 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7028]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1423544254353636@222.255.236.134 ; IP=118.68.249.236 ; ID=20237da884f045768b70e1715c2500e2 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7028]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:124141414141@222.255.236.134 ; IP=118.68.249.236 ; ID=ab5ae83baf534c74958c3a12eff58605 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:5335353535353@222.255.236.134 ; IP=118.68.249.236 ; ID=725068bfe23b4b469f472f80b1a75cec 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:143214324242@222.255.236.134 ; IP=118.68.249.236 ; ID=15b9d143e21f4d058a838228f5044146 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:143214324242@222.255.236.134 ; IP=118.68.249.236 ; ID=63c9200b01724e45887965f7a6432cf8 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7015]: radius_proxy_authorize ; M=INVITE ; F=sip:6970020016@sip.worldfone.com.vn ; T=sip:00819081400768@sip.worldfone.com.vn ; IP=123.24.150.151 ; ID=7ba1f81246a5a52724fdc7ad114041d4@192.168.1.110 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1632361236@222.255.236.134 ; IP=118.68.249.236 ; ID=279aaca9d21f496ab3258c1c25c5ac25 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:3831231@222.255.236.134 ; IP=118.68.249.236 ; ID=1ba6bb18d3ea424aa51a495ac9964678 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:482948239@222.255.236.134 ; IP=118.68.249.236 ; ID=0aed3e5cb92f4730acf9fa653569ec86 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:658438428@222.255.236.134 ; IP=118.68.249.236 ; ID=db4920dede6f4a468cc3895371e96118 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:387373817@222.255.236.134 ; IP=118.68.249.236 ; ID=7020c8e3e9ad466b83d636463c44c7fd 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:742772727@222.255.236.134 ; IP=118.68.249.236 ; ID=61ec2a6b70934ac189254ddfd43e35d4 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:8728732782@222.255.236.134 ; IP=118.68.249.236 ; ID=f90a6341ead74d24aad8760a1a7255ce 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1626373737@222.255.236.134 ; IP=118.68.249.236 ; ID=f8cc66a8fad04864a4b32ab0fa2b268a 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:16483882832@222.255.236.134 ; IP=118.68.249.236 ; ID=d8139d841de24b24953c476eac16a701 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:3727273273@222.255.236.134 ; IP=118.68.249.236 ; ID=d9be1e8dd3c64a458764e3155a0a6542 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1536373737@222.255.236.134 ; IP=118.68.249.236 ; ID=de0e620ec96148d4a374f66dd5d7ca3e 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7013]: radius_www_authorize failed ; M=REGISTER ; F=sip:697852360809@sip.worldfone.com.vn ; T=sip:697852360809@sip.worldfone.com.vn ; IP=222.254.192.230 ; ID=27XgZHH7MypfDm8d@192.168.1.3 

Oct 25 11:08:41 sip /usr/local/sbin/openser[7011]: radius_www_authorize failed ; M=REGISTER ; F=sip:6935822062@sip01.worldfone.com.vn ; T=sip:6935822062@sip01.worldfone.com.vn ; IP=125.212.144.214 ; ID=2583727095-001129976@125.212.144.214 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:38282828283@222.255.236.134 ; IP=118.68.249.236 ; ID=89e688d2e3fd4bbca1d9244dd75db9fa 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1526373737@222.255.236.134 ; IP=118.68.249.236 ; ID=3539a90a81bb405aa3eea79e4b1309eb 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7026]: ERROR:auth_radius:radius_authorize_sterman: rc_auth failed 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1537388383@222.255.236.134 ; IP=118.68.249.236 ; ID=d5cd7cdb3db0474abd109bc6f32cb1e6 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1637377337@222.255.236.134 ; IP=118.68.249.236 ; ID=c47f153b928f4ef58aa358467571401a 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7026]: radius_www_authorize failed ; M=REGISTER ; F=sip:085490200@222.255.236.134:5080 ; T=sip:085490200@222.255.236.134:5080 ; IP=123.20.122.45 ; ID=175126827-2117117492@192.168.1.252 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:15353535353@222.255.236.134 ; IP=118.68.249.236 ; ID=4983dc0ebe9146a3b526cb7bdf4e2af8 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:16436366363@222.255.236.134 ; IP=118.68.249.236 ; ID=60fb3b59ea38405b82c293fddbec68a2 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:15363737373@222.255.236.134 ; IP=118.68.249.236 ; ID=23625959060e4298a363fe2c1f2e158e 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1536376373@222.255.236.134 ; IP=118.68.249.236 ; ID=371d633501174696937d226cd00441b5 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:25252525522@222.255.236.134 ; IP=118.68.249.236 ; ID=e201bb9ac9d04c10a39c4dd30d9e486a 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1537373737@222.255.236.134 ; IP=118.68.249.236 ; ID=f91da93504a34b219c52190fbbc0c568 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:16363737377@222.255.236.134 ; IP=118.68.249.236 ; ID=74ff9dd4c657462f85d58d2d49280867 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1537388383@222.255.236.134 ; IP=118.68.249.236 ; ID=b14674f395d7465c8b70f011ae52e5ca 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:157637373737@222.255.236.134 ; IP=118.68.249.236 ; ID=9dabcf868220494481e25fd7791b20d0 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:21314134314134@222.255.236.134 ; IP=118.68.249.236 ; ID=78e1085aaf1848029700fafd504577f7 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:123434234242@222.255.236.134 ; IP=118.68.249.236 ; ID=34a04f602d5d4a5dbe1c30c9b7d5feff 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7030]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:2134323445@222.255.236.134 ; IP=118.68.249.236 ; ID=48537c44f2c64f72a9599356f89ccd98 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:123214313413523@222.255.236.134 ; IP=118.68.249.236 ; ID=b81e0fcb53c749e0985fb6bcc8a3c481 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1423544254353636@222.255.236.134 ; IP=118.68.249.236 ; ID=1a75beebd9ed42e99c289158a9fe7f29 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:124141414141@222.255.236.134 ; IP=118.68.249.236 ; ID=13d32b8d0e614a67b1009f0f4adb4a93 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:5335353535353@222.255.236.134 ; IP=118.68.249.236 ; ID=fa9f422a825e4e679a44fdbd7be0ee60 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7028]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:143214324242@222.255.236.134 ; IP=118.68.249.236 ; ID=e3b56d89b6634e799c76890823bd0abb 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7032]: radius_www_authorize failed ; M=REGISTER ; F=sip:6925802539@sip04.worldfone.com.vn:5080 ; T=sip:6925802539@sip04.worldfone.com.vn:5080 ; IP=113.22.210.197 ; ID=c1c5a1cc-b5ff-1810-9e36-002100248849@192.168.1.109 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7028]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:143214324242@222.255.236.134 ; IP=118.68.249.236 ; ID=7cb1419f1da743f3a04ece8b5cea8188 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:1632361236@222.255.236.134 ; IP=118.68.249.236 ; ID=86b246147d194a92a05876b0defca828 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7028]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:3831231@222.255.236.134 ; IP=118.68.249.236 ; ID=efcd871a9e29445980879956cb57fe38 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:482948239@222.255.236.134 ; IP=118.68.249.236 ; ID=718e1d5f545745948db2b885fed79c68 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7028]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:658438428@222.255.236.134 ; IP=118.68.249.236 ; ID=8c03c92a7ac54d5d9f44825175d9646e 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:387373817@222.255.236.134 ; IP=118.68.249.236 ; ID=36cb8ac8506b44e3af208afabbea526b 

Oct 25 11:08:42 sip /usr/local/sbin/openser[7028]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:742772727@222.255.236.134 ; IP=118.68.249.236 ; ID=b56d6b27587a4a13b59e125996862733 

Oct 25 11:08:43 sip /usr/local/sbin/openser[7032]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:8728732782@222.255.236.134 ; IP=118.68.249.236 ; ID=679be14ab41b4a3abbf24c72a6220da9
I'm not familiar with SIP, but Fail2ban can be made to deal with all kinds of authentication failures. Could you provide a brief description of what exactly is happening here? What service is being denied?

Last edited by win32sux; 11-28-2009 at 07:01 PM.
 
Old 11-28-2009, 11:25 PM   #7
ndduy
LQ Newbie
 
Registered: Nov 2009
Posts: 3

Original Poster
Rep: Reputation: 0
can you write a script for me,please ?

Last edited by ndduy; 11-29-2009 at 12:31 AM.
 
Old 11-29-2009, 12:59 AM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by ndduy View Post
can you write a script for me,please ?
It would be simple to write a script that would go through a log file in the format of the snippet you posted, and extract the IP in order to execute an iptables blocking command. Is that what you're asking for? If so, are you sure that this wouldn't cause problems for your users? BTW, you still haven't answered any of the questions you've been asked.
 
Old 11-29-2009, 02:17 AM   #9
ndduy
LQ Newbie
 
Registered: Nov 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Hi friends,
I want to write a script to filter attacked ip. Attacked ip is ip which request more 5 times per second. Every failed request, it will be store in message log as log_dos.txt which is attached. In log_dos file attached, ip attack is 118.68.249.236. After filter the ips, the script also ask iptables to drop all packets from them and also unlock all ips are no dos at this time. This script will be set up as schedule which run every 5 minute.
Can everyone help me make this script or give me another way to do?
Thanks for all

Hi saavik,
I have not try sshblack tool yet. I will try it soon and get back to all.
Thanks you
 
Old 11-29-2009, 08:30 AM   #10
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778
Quote:
Originally Posted by win32sux View Post
It would be simple to write a script that would go through a log file in the format of the snippet you posted, and extract the IP in order to execute an iptables blocking command. Is that what you're asking for?
Well that log file looks like SIP is in use, or attempted use, and that it is failing to be authorised by radius. (I'm assuming that the fragment posted by win32sux is from the OP's link; I won't follow these except under very limited circumstances, for security reasons, so thanks to win32sux for solving that problem for me.)

Superficially, that doesn't look like a DDoS attack, but may be someone attempting to use VoiP (calling SIP...the Session Initiation Protocol, so presumably in an attempt to initiate a session) internally, maybe in an unauthorised manner. (So, it looks to me as if the problem is not that you have someone externally attempting to mount a DDoS attack, but you do have someone internal trying to use something like a Voip/SIP device, without facilities for that being set up on your network. If the OP does get someone to write an anti-DDoS script, and that interpretation is correct, then the script will do no good whatsoever....but then I am guessing because the OP has said nothing about the address ranges in use, or given useful information on any of the subjects that would help people understand what is going on. The OP should note that it is the OP's responsibility to provide helpful information so that people who want to help can succeed in their aim.)

Quote:
BTW, you still haven't answered any of the questions you've been asked.
An excellent point; if the OP wants to write a script themselves, they can just ask a few questions and get on with it. On the other hand, if the OP wants someone else to write a script for them -for example:
Quote:
can you write a script for me,please ?
then the OP is going to have to start answering questions, otherwise this is just a waste of time.

In addition, it would be nice if the OP were to give a clear statement of the reasons that this is thought to be a DDoS attack, because there are some reasons for thinking that this is a misinterpretation.

Sorry, missed OP's latest, but, even so
Quote:
ip attack is 118.68.249.23
is completely ambiguous. When making such statements you should be careful to distinguish between the attacking IP and the attacked IP. Looking at the log snippet, I interpret that as the attacked IP, but does the OP share that interpretation? Is that an IP that the OP knows to be in the range that is used on the network in question?

If the real issue is that someone else's Voip-type device is using the OP's network to try to get through to worldphone, that would be a different problem and warrant a completely different solution.

Last edited by salasi; 11-29-2009 at 08:41 AM. Reason: additional information
 
1 members found this post helpful.
Old 11-29-2009, 11:47 AM   #11
JK3mp
Member
 
Registered: May 2009
Distribution: Slackware 13.0
Posts: 30

Rep: Reputation: 15
I agree with the above, it would be simple to do but make sure that in blocking the DDoS you are not also blocking legitimate traffic on the network in question. I also agree that it doesn't look like much of a DDoS attack.
 
Old 11-29-2009, 12:12 PM   #12
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778
Well, having thought about this a little more, it doesn't seem, from the fragment above, to be distributed, it does not try to deny service, and its probably not an attack (it might just be a brute force on your radius server, but that seems unlikely as it looks like a legitimate attempt to auth with that). So it seems the OP was wrong on either two and a half, or three, out of three.

My bet is, while there is a possibility that person or persons unknown have tried to connect something that uses SIP (either a phone or something like a whiteboarding/'net meeting' style application)...or, maybe, a person known.

To the OP; there is a large stack of personal embarrassment points available if you have recently plugged in a Voip phone or installed a net meeting conferencing app, to the network, and you must have known that you were doing this. There is a smaller pile of embarrassment points available if you have had a WiFi equipped phone in and it has automagically tried to connect to the wireless network and there is no way that you would have known, necessarily, or you can blame someone else for this.

If I am right, there is no point in a script to block a DDoS attack if there isn't a DDoS. Even if it is a different attack, understand what it is before blocking things at random.
 
Old 11-29-2009, 03:47 PM   #13
Smartpatrol
Member
 
Registered: Sep 2009
Posts: 196

Rep: Reputation: 38
...

Last edited by Smartpatrol; 03-11-2010 at 10:51 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
http spammer causing DDoS via Proxies resulting in dead server ... CLOSE_WAIT etc Lord Matt Linux - Security 1 04-08-2008 09:57 AM
Being attacked. WRXSTi Linux - Security 11 06-18-2006 09:48 AM
qmail server getting attacked lsimon4180 Linux - Software 41 10-15-2004 04:44 PM
Have I been attacked? tangle Linux - Security 6 08-03-2003 09:33 PM
Being Attacked? andy18 Linux - Security 1 05-11-2003 12:09 PM


All times are GMT -5. The time now is 11:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration