Author: Ian Grody Date: To: lug, Hampshire LUG Discussion List Subject: Re: [Hampshire] DDoS survival strategies
Turn off your router & wait it out. Most ISP's will disconnect your session in
event of dDoS anyway.
Unless, the dDoS is not saturating all your available bandwidth, you just make
sure your firewalls and hosts do not send ICMP Port/Dest/Host/Net Unreachable
or TCP resets. Blackhole everything that would normally be dropped and you
prevent returning packets.
There is little more you can do than wait them out.
Usually best just to turn the router off, especially if it counts towards and
AUP or unit system or the like. If the router if off, no traffic can be sent down
your line.
On Monday 05 September 2011 16:21:43 Damian L Brasher wrote: > Hi List
>
> As a sys admin, depending on the scope of your responsibilities, it is
> sometimes necessary to diagnose DDoS - distributed denial of service -
> attacks and attempt resolve them.
>
> This is a simple script I use to check apache logs for signs of website
> DDoS, [1]walk-through below:
>
> #!/bin/bash
>
> FILE=access_log;
> for ip in `cat $FILE |cut -d ' ' -f 1 |sort |uniq`;
> do { COUNT=`grep ^$ip $FILE |wc -l`;
> if [[ "$COUNT" -gt "10" ]]; then echo "$COUNT: $ip";
> fi }; done
>
> Some general questions to discuss, I have reserved thoughts and
> knowledge, but would like to read other peoples comments too:
>
> What general growing problems do systems engineers face in the future?
>
> Will IPv6reduce DDoS attack success or enhance the attacker's tool kits?
>
> Can we reassure customers that they will not lose business to DDoS
> without investing large amounts capital in security technologies?
>
> What do you think? - is DDoS a global or local problem; or both?
>
> Is anyone able to share scripts like the one above?
>
>
>
> Damian
>
>
>
> [1] Simple script I use to check apache logs for signs of website DDoS
> walk-through (can be copied and pasted into a text file and renamed
> 'ddos_check.sh' then chmod +x ddos_check.sh):
>
>
> (invoke the bash interpreter)
>
> #!/bin/bash
>
> (access_log can be replaced with any apache log file name
>
> FILE=access_log;
>
> (cat concatenates the log file, then cut takes the first field - which
> is the hit IP address. This could be a visitor, bot or malicious IP. The
> IP addresses are sorted for clarity, only a unique is IP moved on for
> processing)
>
> for ip in `cat $FILE |cut -d ' ' -f 1 |sort |uniq`;
>
> (the variable COUNT is filled with the resulting IP address from the
> processed log file output and the number of IP instances calculated)
>
> do { COUNT=`grep ^$ip $FILE |wc -l`;
>
> (if the number of IP instances is over 10 - this will normally be set to
> 1000's - then the IP address and number of instances in the log file is
> printed to standard output)
>
> if [[ "$COUNT" -gt "10" ]]; then echo "$COUNT: $ip";
>
> (end of script)
>
> fi }; done
>
> You can see IP's that are hammering your web-site:- use whois to glean
> more information, then check for repetition patterns. For Linux use
> firewall and/or tcpwrappers to block.
