linux ddos attack and blocking

Question

im checking ddos using this script:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

it will show something like this

24 220.160.239.126
25 42.80.231.240
26 182.109.15.223
29 218.64.39.93

im blocking the ip using:

route add 218.64.39.93 reject

how do i combine the checking netstat with the route add reject if the count more than 20.

thanks

look at tools like fail2ban. It will add the ip address in question in iptables reject list. — Tux_DEV_NULL, Oct 18 '17 at 09:19

HBruijn · Accepted Answer · 2017-10-18T09:29:08.983

0

Append:

|awk '$1 > 20 {print $2}'

to print the entry in the second column of your input when the integer in the first column exceeds the value of 20.

|awk '$1 > 20 {print "route add " $2 " reject"}' | /bin/sh

and omitting the redundant | sort -n would be a refinement to execute the desired command.

By the way DIY DOS protection like that is probably not the optimal solution...

edited Oct 18 '17 at 09:29

answered Oct 18 '17 at 09:22

HBruijn

1 Answers1