Wednesday, February 21, 2007, 09:36 PM ( 8 views )
- Linux
tcpdump
# tcpdump -ne dst port 80 and 'tcp[13] & 2 == 2'
This way effectively filtering only SYN packets on port 80.
# tcpdump -c 30000 -ne dst port 80 and 'tcp[13] & 2 == 2' | awk '{print $11}' | cut -d. -f1|sort | uniq -c | sort -n
Dumping 30K packets,cutting the first octet from the IPs and sorting by number of packets originating from this A class net.
A bit more complicated:
# for i in `tcpdump -c 30000 -ne dst port 80 and 'tcp[13] & 2 == 2' | awk '{print $11} | cut -d. -f1|sort | uniq -c | awk '{if ($1 > 4000) print $2}'`; do \
iptables -I INPUT -s $i.0.0.0/8 -j DROP; \
done
Dumping 30K packets and if more than 4000 packets originate from the same A class net - block the net via iptables.
permalink
| 
