unlimited domain web hosting
Discussion forums relating to Web Design and Development
DoS-Deflate blocks numbers not IP addresses

 
Post new topic   Reply to topic    Web Design and Development Community Forum Index -> Security
View previous topic :: View next topic  
Author Message
Mat
Site Admin


Joined: 17 Mar 2006
Posts: 58
Location: England

PostPosted: Sat Aug 09, 2008 12:48 pm    Post subject: DoS-Deflate blocks numbers not IP addresses Reply with quote

We've noticed recently that many of us are suffering with a repeat problem with the implementation of DoS-Deflate (the anti-(D)Dos script from medialayer.com - http://deflate.medialayer.com/). The problem is that on many occasions it blocks numbers instead of the IP addresses with too many connections.

This is down to the netstat command that they are using, it does not account for the ways that more up to date systems report output from the netstat command (particularly when the string ‘::ffff:’ that is added to http port 80 connections). This results in numbers being written to the IPTables instead of the IP addresses which have over the max connections set.

You will notice it when you start receiving emails saying things like .....

Quote:
Banned the following ip addresses on Tue Aug 5 01:32:01 BST 2008

1120 with 1120 connections



We've put together a fix for this which requires that you replace the netstat command in the ddos.sh file (located in /usr/local/ddos directory if you installed in the default fashion).

In the original script line 117 reads…

Code:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST


this should be rewritten to read as follows…

Code:
netstat -ntu | grep ':' | awk '{print $5}' | sed 's/::ffff://' | cut -f1 -d ':' | sort | uniq -c | sort -nr > $BAD_IP_LIST


IMPORTANT: this command should be written on a single line, you should also check each character as selecting and copying can sometimes lead to different characters being pasted (i.e. single quotes might not paste as single quotes!!!!!

We hope this helps those of you who would love to continue using this excellent script without the errors presently being experienced.
_________________
Mat.

---------------------------------------------------------------------------------------------
Multiple Domain Hosting Plans ~ Domain Name Registration ~ Support
---------------------------------------------------------------------------------------------
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic   All times are GMT
Page 1 of 1

 
Jump to: