Code: Select all
#!/bin/bash
netstat -tn |grep SYN | grep 62.75.148.170:80 > syn.txt
sed 's/tcp 0 0 62.75.148.170:80 /route add -host /g' syn.txt > output1
sed 's/:.*/ reject/g' output1 > output2
chmod 777 output2
./output2
rm syn.txt
rm output*
in line 1 the output of netstat -tn is filtered so only connections in SYN_RECV state are captured, that output is filtered again so only connections that are in SYN_RECV state AND to port 80 of the server are written to a file (syn.txt).
in line 2 the text strings at the beginning of each line of the netstat output are replaced with "route add -host "
in line 3 the strings at the end of each line (beginning at the : after the IP) of the netstat output are replaced with " reject"
the rest of the code makes the output file executable, runs it, and cleans up the directory when done.
step by step:
- output of netstat -tn |grep SYN | grep 62.75.148.170:80
Code: Select all
tcp 0 62.75.148.170:80 192.0.0.1:2329 SYN_RECV
tcp 0 62.75.148.170:80 192.0.0.2:2329 SYN_RECV
tcp 0 62.75.148.170:80 192.0.0.3:2329 SYN_RECV
Code: Select all
route add -host 192.0.0.1:2329 SYN_RECV
route add -host 192.0.0.2:2329 SYN_RECV
route add -host 192.0.0.3:2329 SYN_RECV
Code: Select all
route add -host 192.0.0.1 reject
route add -host 192.0.0.2 reject
route add -host 192.0.0.3 reject
this script is only for emergency use!
there is a chance of collateral damage (banning innocent users), but when a SYN flood is running the danger is not too big because regular users don't really have a chance to connect anyway, also regular connections in a SYN_RECV state are pretty rare. sure, every connection starts with it, but the state usually only lasts a split second, so even on well frequented servers catching a connection in that state via netstat is like winning in a lottery because the chances are very low.
different in a SYN flood attack: the attacking bots send a SYN request, but instead of establishing a connection after the server sent a SYN_ACK back they drop the connection so the server leaves the connection open waiting for reply until it times out....and this occupies the connections until the max. clients setting is reached and no regular users can connect anymore.
don't copy&paste the script, it will not work because some whitespaces are missing, get it here.
P.S. of course you will have to edit the IPs in line 1 and 2, if another service than http is attacked you will also have to edit the port numbers.