Tuesday, August 11, 2009

Slowloris DDOS prevention

#!/bin/sh

LIMIT=100

COMMAND='netstat -n | egrep '\''tcp.*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*:(80|443)[ ]*[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*:[0-9]*[ ]*ESTABLISHED
'\'' | awk -F'\''[ \t:]+'\'' '\''{ print $6 }'\'''

eval $COMMAND | sort | uniq -c | while read numconn ip
do
if [ $numconn -gt $LIMIT ]
then
echo "Check ASAP and renable this cron." | mail -s "IP $ip - ($numconn) went over $LIMIT connections on `hostname`" me@someemailaddress.com

sed -i 's/\(^\*.*this_script.sh*\)/#\1/g' /etc/crontab
# /sbin/iptables -I INPUT -s $ip -j DROP
fi
done

No comments: