Help me. My server is attacked DDoS
I want to write a Script, it use to ati DDoS but i'm a newbie i can't do it.
I have a log file www.mediafire.com/?yz2njlm0kzj . I want to read a DDos's IP address from log file, after that i want to add that IP to Firewall . I can do it by handicraft but i want a script, it can autorun every 5 min on my server. Thank . |
Hi men,
Do you realy want us to undestand what you want to do? what script you want to write? do you want to block ip apdress which is trying to atack you ? |
I believe Iptable+Ipchains can do this on its own if properly configured. The only true way to negate DDos attacks are to have an external firewall to filter to stop the packets before reaching the target machine.
|
you could use somthing like that:
http://www.pettingers.org/code/sshblack.html or you could tell iptables to let a client only connect to the server 5 time in a second. Syn-flood protection: # iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT Ok, that should help, if you edit it. |
Quote:
|
Here's a copy of the log file snippet, in order to make things simpler:
Code:
Oct 25 11:08:41 sip /usr/local/sbin/openser[7026]: radius_proxy_authorize ; M=INVITE ; F=sip:6943646285@222.255.236.134 ; T=sip:16436366363@222.255.236.134 ; IP=118.68.249.236 ; ID=e378ead83d794dfa821b40553f113baa |
can you write a script for me,please ?
|
Quote:
|
Hi friends,
I want to write a script to filter attacked ip. Attacked ip is ip which request more 5 times per second. Every failed request, it will be store in message log as log_dos.txt which is attached. In log_dos file attached, ip attack is 118.68.249.236. After filter the ips, the script also ask iptables to drop all packets from them and also unlock all ips are no dos at this time. This script will be set up as schedule which run every 5 minute. Can everyone help me make this script or give me another way to do? Thanks for all Hi saavik, I have not try sshblack tool yet. I will try it soon and get back to all. Thanks you |
Quote:
Superficially, that doesn't look like a DDoS attack, but may be someone attempting to use VoiP (calling SIP...the Session Initiation Protocol, so presumably in an attempt to initiate a session) internally, maybe in an unauthorised manner. (So, it looks to me as if the problem is not that you have someone externally attempting to mount a DDoS attack, but you do have someone internal trying to use something like a Voip/SIP device, without facilities for that being set up on your network. If the OP does get someone to write an anti-DDoS script, and that interpretation is correct, then the script will do no good whatsoever....but then I am guessing because the OP has said nothing about the address ranges in use, or given useful information on any of the subjects that would help people understand what is going on. The OP should note that it is the OP's responsibility to provide helpful information so that people who want to help can succeed in their aim.) Quote:
Quote:
In addition, it would be nice if the OP were to give a clear statement of the reasons that this is thought to be a DDoS attack, because there are some reasons for thinking that this is a misinterpretation. Sorry, missed OP's latest, but, even so Quote:
If the real issue is that someone else's Voip-type device is using the OP's network to try to get through to worldphone, that would be a different problem and warrant a completely different solution. |
I agree with the above, it would be simple to do but make sure that in blocking the DDoS you are not also blocking legitimate traffic on the network in question. I also agree that it doesn't look like much of a DDoS attack.
|
Well, having thought about this a little more, it doesn't seem, from the fragment above, to be distributed, it does not try to deny service, and its probably not an attack (it might just be a brute force on your radius server, but that seems unlikely as it looks like a legitimate attempt to auth with that). So it seems the OP was wrong on either two and a half, or three, out of three.
My bet is, while there is a possibility that person or persons unknown have tried to connect something that uses SIP (either a phone or something like a whiteboarding/'net meeting' style application)...or, maybe, a person known. To the OP; there is a large stack of personal embarrassment points available if you have recently plugged in a Voip phone or installed a net meeting conferencing app, to the network, and you must have known that you were doing this. There is a smaller pile of embarrassment points available if you have had a WiFi equipped phone in and it has automagically tried to connect to the wireless network and there is no way that you would have known, necessarily, or you can blame someone else for this. If I am right, there is no point in a script to block a DDoS attack if there isn't a DDoS. Even if it is a different attack, understand what it is before blocking things at random. |
...
|
All times are GMT -5. The time now is 11:25 AM. |