Using the shell to resolve DDoS attack instances

Note: Depending on the number of web logs or network connections, monitor the number of concurrent connections for an IP or PV to 100 in a short time

that is, call the firewall command to seal off the corresponding IP, monitoring frequency every 3 minutes

the firewall command is: iptables-a input-s 10.0.1.10-j DROP

Ideas:

1. Analyze logs, extract IP and PV numbers

2.while statement, read the extracted IP and PV number, and implement a 3-minute loop

3. Call the firewall command

Use while to read the log method:

1.cat A.log | While Read line

Do

Done

2.exec<a.log | While Read line

Do

Done

3.while Read Line

Do

Done<a.log

Script:

#!/bin/bash#author: liuwei#site: www.51liuzw.comwhile truedo#cat 12_01.log | awk   ' {print $1} '  | sort | uniq -c > a.lognetstat -an |  grep ESTAB | awk -F  "[ :]+"   ' {print $6} '  | sort |  uniq -c > b.logexec<a.logwhile read linedo         pv= ' echo  $line  | awk  ' {print $1} '          ip= ' echo  $line  | awk  ' {print $2} '          if [  $PV  -gt 5 ] && [  ' iptables -l  -n | grep  $ip  | wc -l '  -eq 0 ];then                 iptables -a input -s   $IP  -j droP        fidonesleep 180done 

Implementation ideas:

1. Extract the IP and PV numbers according to the log, or IP and PV based on the number of network connections

2. Determine when PV is greater than you can accept the maximum value, the IP into the firewall

3. Can be implemented every 3 minutes with crontab

Knowledge Points:

Awk-f "[:]+"

-F: You need to add this option when specifying delimiters

[:]+: A space or colon is a delimiter, + denotes a space or colon appears at least once

This article is from the "burning Years of Passion" blog, please be sure to keep this source http://liuzhengwei521.blog.51cto.com/4855442/1773802

Using the shell to resolve DDoS attack instances