Re: Urgent: Under attack - need tcpdrop help
On 5/24/11 10:29 PM, Andy Wodfer wrote: Hi, One of my FreeBSD servers is currently being attacked (DDOS) and I'm blocking IP addresses in my firewall. However, there are a large number of hung tcp connections and I want them gone. Can anyone help me with a script (command line) that can read a netstat -n and tcpdrop all IP addresses that has more than 10 connections or a more manual command where I can input an IP and it will drop all connections from that IP regardless of port? Thanks in advance! Shell scripting isn't what I'm best at unfortunatly ... Andy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Basically, if the attacker is sending spoofed TCP packets, it leaves your box expecting the rest of the TCP handshake, which will never arrive. Firewalling these will not work because you'd be blocking possibly thousands of spoofed addresses, and you'll fill your firewall's tables. Your upstream network provider should be equipped with anti DDOS hardware and your best move is to actually contact their NOC to have some mitigation measures put in place. What firewall are you running on the 6.3 box ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Urgent: Under attack - need tcpdrop help
On 5/24/11 10:53 PM, Alejandro Imass wrote: On Tue, May 24, 2011 at 4:29 PM, Andy Wodfer wod...@gmail.com wrote: Hi, One of my FreeBSD servers is currently being attacked (DDOS) and I'm blocking IP addresses in my firewall. However, there are a large number of hung tcp connections and I want them gone. I know it's not what you're asking but for the future try fail2ban. I can gladly post a simple how to here for FreeBSD. It's a very simple solution but I have been keeping off pests quite well with fail2ban. I think it's an awesome and simple framework to automatically ban IPs and they just move on to the th next server. In fact you can see the bannings diminish in time as they are the one that get tired ;-) Good luck, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org There is no need for fail2ban on freebsd, one may install sshguard from the ports, which interacts with the firewalls (IPFW, PF...) or the allow/deny files. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Urgent: Under attack - need tcpdrop help
Thanks! That would work on all my servers except this one .. which runs 6.3 STABLE (due to some old services requiring old software). Any other suggestions? Thanks! Andy On Tue, May 24, 2011 at 10:42 PM, Greg Larkin glar...@freebsd.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 5/24/11 4:29 PM, Andy Wodfer wrote: Hi, One of my FreeBSD servers is currently being attacked (DDOS) and I'm blocking IP addresses in my firewall. However, there are a large number of hung tcp connections and I want them gone. Can anyone help me with a script (command line) that can read a netstat -n and tcpdrop all IP addresses that has more than 10 connections or a more manual command where I can input an IP and it will drop all connections from that IP regardless of port? Thanks in advance! Shell scripting isn't what I'm best at unfortunatly ... Andy Hi Andy, This will drop all connections to/from IP address 192.168.22.22: tcpdrop -l -a | grep 192.168.22.22 | sh Just substitute your desired IP address, and that will do the trick. Good luck, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cGC8ACgkQ0sRouByUApBlvACfaOneJdIQGiNNo2FYbKJx3EI8 w58AniK6ZolieHscRFWleR1CoofAtGe8 =03TM -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Urgent: Under attack - need tcpdrop help
On Tue, May 24, 2011 at 4:29 PM, Andy Wodfer wod...@gmail.com wrote: Hi, One of my FreeBSD servers is currently being attacked (DDOS) and I'm blocking IP addresses in my firewall. However, there are a large number of hung tcp connections and I want them gone. I know it's not what you're asking but for the future try fail2ban. I can gladly post a simple how to here for FreeBSD. It's a very simple solution but I have been keeping off pests quite well with fail2ban. I think it's an awesome and simple framework to automatically ban IPs and they just move on to the th next server. In fact you can see the bannings diminish in time as they are the one that get tired ;-) Good luck, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Urgent: Under attack - need tcpdrop help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 5/24/11 4:48 PM, Andy Wodfer wrote: Thanks! That would work on all my servers except this one .. which runs 6.3 STABLE (due to some old services requiring old software). Any other suggestions? Thanks! Andy Ok, here goes: netstat -an | grep ^tcp | grep -v LISTEN | awk '{ print $5 }' | egrep -v '^(172\.16|192\.168|127\.0)' | cut -f1-4 -d\. | awk '{ a[$1]++ } END { for (i in a) { if (a[i] 10) { print i; } } }' | xargs -n1 -I % sh -c 'sockstat -c | grep %' | awk '{ print $6 $7 }' | sed -e 's/:/ /g' -e 's/^/tcpdrop /' Paste that all on one line, and it should print (but not execute!) tcpdrop commands for IPs that have more than 10 connections to your server. The commands will work on 6.x and later versions of the OS, since it doesn't use tcpdrop -l -a. If you like the output and want to actually run the tcpdrop commands, add | sh to the end of the pipeline. YMMV, because I didn't actually execute the commands. I just printed the tcpdrop commands, and they looked good. Good luck, Greg On Tue, May 24, 2011 at 10:42 PM, Greg Larkin glar...@freebsd.org wrote: On 5/24/11 4:29 PM, Andy Wodfer wrote: Hi, One of my FreeBSD servers is currently being attacked (DDOS) and I'm blocking IP addresses in my firewall. However, there are a large number of hung tcp connections and I want them gone. Can anyone help me with a script (command line) that can read a netstat -n and tcpdrop all IP addresses that has more than 10 connections or a more manual command where I can input an IP and it will drop all connections from that IP regardless of port? Thanks in advance! Shell scripting isn't what I'm best at unfortunatly ... Andy Hi Andy, This will drop all connections to/from IP address 192.168.22.22: tcpdrop -l -a | grep 192.168.22.22 | sh Just substitute your desired IP address, and that will do the trick. Good luck, Greg ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cHIkACgkQ0sRouByUApDFdQCgtAPatfLnJP7/r2d/OBhy/P9T VJsAn3mWXgqG4GTa9GzuUuH2pDm4JPbz =27Nl -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Urgent: Under attack - need tcpdrop help
Thanks a lot! That was very helpful! Things have calmed down now. However, I was surprised to see how quick the tcp connections came back in netstat. Have to take a closer look at my firewall I guess. Cheers! Andy On Tue, May 24, 2011 at 11:00 PM, Greg Larkin glar...@freebsd.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 5/24/11 4:48 PM, Andy Wodfer wrote: Thanks! That would work on all my servers except this one .. which runs 6.3 STABLE (due to some old services requiring old software). Any other suggestions? Thanks! Andy Ok, here goes: netstat -an | grep ^tcp | grep -v LISTEN | awk '{ print $5 }' | egrep -v '^(172\.16|192\.168|127\.0)' | cut -f1-4 -d\. | awk '{ a[$1]++ } END { for (i in a) { if (a[i] 10) { print i; } } }' | xargs -n1 -I % sh -c 'sockstat -c | grep %' | awk '{ print $6 $7 }' | sed -e 's/:/ /g' -e 's/^/tcpdrop /' Paste that all on one line, and it should print (but not execute!) tcpdrop commands for IPs that have more than 10 connections to your server. The commands will work on 6.x and later versions of the OS, since it doesn't use tcpdrop -l -a. If you like the output and want to actually run the tcpdrop commands, add | sh to the end of the pipeline. YMMV, because I didn't actually execute the commands. I just printed the tcpdrop commands, and they looked good. Good luck, Greg On Tue, May 24, 2011 at 10:42 PM, Greg Larkin glar...@freebsd.org wrote: On 5/24/11 4:29 PM, Andy Wodfer wrote: Hi, One of my FreeBSD servers is currently being attacked (DDOS) and I'm blocking IP addresses in my firewall. However, there are a large number of hung tcp connections and I want them gone. Can anyone help me with a script (command line) that can read a netstat -n and tcpdrop all IP addresses that has more than 10 connections or a more manual command where I can input an IP and it will drop all connections from that IP regardless of port? Thanks in advance! Shell scripting isn't what I'm best at unfortunatly ... Andy Hi Andy, This will drop all connections to/from IP address 192.168.22.22: tcpdrop -l -a | grep 192.168.22.22 | sh Just substitute your desired IP address, and that will do the trick. Good luck, Greg ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cHIkACgkQ0sRouByUApDFdQCgtAPatfLnJP7/r2d/OBhy/P9T VJsAn3mWXgqG4GTa9GzuUuH2pDm4JPbz =27Nl -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Urgent: Under attack - need tcpdrop help
FWIW:, you may also try null routing the suspicious / bad IP ranges vs. adding to firewall confs. Typically far less overhead, and perhaps easier. YMMV. G -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Andy Wodfer Sent: Tuesday, May 24, 2011 5:10 PM To: glar...@freebsd.org Cc: freebsd-questions Subject: Re: Urgent: Under attack - need tcpdrop help Thanks a lot! That was very helpful! Things have calmed down now. However, I was surprised to see how quick the tcp connections came back in netstat. Have to take a closer look at my firewall I guess. Cheers! Andy On Tue, May 24, 2011 at 11:00 PM, Greg Larkin glar...@freebsd.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 5/24/11 4:48 PM, Andy Wodfer wrote: Thanks! That would work on all my servers except this one .. which runs 6.3 STABLE (due to some old services requiring old software). Any other suggestions? Thanks! Andy Ok, here goes: netstat -an | grep ^tcp | grep -v LISTEN | awk '{ print $5 }' | egrep -v '^(172\.16|192\.168|127\.0)' | cut -f1-4 -d\. | awk '{ a[$1]++ } END { for (i in a) { if (a[i] 10) { print i; } } }' | xargs -n1 -I % sh -c 'sockstat -c | grep %' | awk '{ print $6 $7 }' | sed -e 's/:/ /g' -e 's/^/tcpdrop /' Paste that all on one line, and it should print (but not execute!) tcpdrop commands for IPs that have more than 10 connections to your server. The commands will work on 6.x and later versions of the OS, since it doesn't use tcpdrop -l -a. If you like the output and want to actually run the tcpdrop commands, add | sh to the end of the pipeline. YMMV, because I didn't actually execute the commands. I just printed the tcpdrop commands, and they looked good. Good luck, Greg On Tue, May 24, 2011 at 10:42 PM, Greg Larkin glar...@freebsd.org wrote: On 5/24/11 4:29 PM, Andy Wodfer wrote: Hi, One of my FreeBSD servers is currently being attacked (DDOS) and I'm blocking IP addresses in my firewall. However, there are a large number of hung tcp connections and I want them gone. Can anyone help me with a script (command line) that can read a netstat -n and tcpdrop all IP addresses that has more than 10 connections or a more manual command where I can input an IP and it will drop all connections from that IP regardless of port? Thanks in advance! Shell scripting isn't what I'm best at unfortunatly ... Andy Hi Andy, This will drop all connections to/from IP address 192.168.22.22: tcpdrop -l -a | grep 192.168.22.22 | sh Just substitute your desired IP address, and that will do the trick. Good luck, Greg ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cHIkACgkQ0sRouByUApDFdQCgtAPatfLnJP7/r2d/OBhy/P9T VJsAn3mWXgqG4GTa9GzuUuH2pDm4JPbz =27Nl -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org