We here discuss on Bash script to block IPs during DDoS attack. Use the below script to block IP addresses making too many connections.
#!/bin/bash
if [ -e ip-list.txt ]
then
rm -f ip-list.txt
fi
netstat -tpn|grep :80|awk '{print $5}'|cut -d ':' -f 1|sort |uniq -c|sort -n -k 1|awk '{if ($1 > 30) {print $2}}' >> ip-list.txt
if [ -s ip-list.txt ]
then
for ip in $(cat ip-list.txt)
do
/usr/sbin/csf -d $ip >/dev/null 2>$1
done
fi
Sometimes, Massive Ddos attacks cannot be stopped using a CSF firewall due to heavy connections in the short time period. In such cases, you need to “grep” the Attacking pattern from Domlogs and then block it via IPtables using the following script.
!/bin/bash
iplist=$(tail -5000 /usr/local/apache/domlogs/domain.com |grep "Pattern" |awk '{print $1}' | sort -u)
for address in ${iplist}; do
iptables -I INPUT -p tcp -s ${_address} -j DROP
iptables -I INPUT -p udp -s ${_address} -j DROP
done
We highly recommend you to open a ticket via your Client Area, whenever you see a DDOS attack.
