Skip to content

Instantly share code, notes, and snippets.

@felixge
Created October 29, 2011 13:43
Show Gist options
  • Save felixge/1324470 to your computer and use it in GitHub Desktop.
Save felixge/1324470 to your computer and use it in GitHub Desktop.
Bash stuff for fighting a weak DOS attack
# Here a few bash one-liners that helped me analyze / fight a weak DOS attack against debuggable.com. Mostly for future reference.
# The attacker was opening lots of tcp connections without sending data, I believe it's called a SYN flood, see: http://tools.ietf.org/html/rfc4987#section-3.2
# Step 0: Check what is going on at port 80
$ netstat -tan | grep ':80 ' | awk '{print $6}' | sort | uniq -c
# Step 1: Increase the number of available fds
$ ulimit -n 32000
# Step 2: Restart your webserver, for me:
$ /etc/init.d/lighttpd restart
# Step 3: List the number of connections per attacking machine:
$ netstat -ntu | tail -n +3 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
# Step 4: Whois the IP's you got from step 3 to find out where the attacking machines are (just for fun)
$ whois <ip>
# Step 5: If you want to limit the http connections / host to 20, do this. See: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/
$ iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment