We here discuss on Bash script to block IPs during DDoS attack. Use the below script to block IP addresses making too many connections.
#!/bin/bash if [ -e ip-list.txt ] then rm -f ip-list.txt fi netstat -tpn|grep :80|awk '{print $5}'|cut -d ':' -f 1|sort |uniq -c|sort -n -k 1|awk '{if ($1 > 30) {print $2}}' >> ip-list.txt if [ -s ip-list.txt ] then for ip in $(cat ip-list.txt) do /usr/sbin/csf -d $ip >/dev/null 2>$1 done fi
Sometimes, Massive Ddos attacks cannot be stopped using a CSF firewall due to heavy connections in the short time period. In such cases, you need to “grep” the Attacking pattern from Domlogs and then block it via IPtables using the following script.
!/bin/bash iplist=$(tail -5000 /usr/local/apache/domlogs/domain.com |grep "Pattern" |awk '{print $1}' | sort -u) for address in ${iplist}; do iptables -I INPUT -p tcp -s ${_address} -j DROP iptables -I INPUT -p udp -s ${_address} -j DROP done
We highly recommend you to open a ticket via your Client Area, whenever you see a DDOS attack.