Small blog about system administration.

The script to kill DoS/DDoS botnet on the OpenVZ hardware node

I recently faced the problem of DDoS attack OpenVZ containers.
DDoS net consists of these IPs. They are attack VZ servers:


63.128.150.155
69.167.151.27
129.33.190.96
176.56.225.227

So, at the first I did the following thing at the HW node:

# iptables -I FORWARD -s 63.128.150.155 -j DROP && 
iptables -I FORWARD -s 69.167.151.27 -j DROP && 
iptables -I FORWARD -s 129.33.190.96  -j DROP && 
iptables -I FORWARD -s 176.56.225.227 -j DROP

Then, I made the script to kill that botnet:

# tcpdump -n > tcp.dmp;cat tcp.dmp | grep ripe.net| awk '{print $3}'| sed -r 's/.dom/ /g'| awk '{print $1}' | sort -n | uniq -c| awk '{print $2}'| xargs -i iptables -A INPUT -s {} -j DROP && cat tcp.dmp | grep ripe.net| awk '{print $3}'| sed -r 's/.dom/ /g'| awk '{print $1}' | sort -n | uniq -c| awk '{print $2}'| xargs -i iptables -A FORWARD -s {} -j DROP && cat tcp.dmp | grep ripe.net| awk '{print $3}'| sed -r 's/.dom/ /g'| awk '{print $1}' | sort -n | uniq -c| awk '{print $2}'| xargs -i iptables -A OUTPUT -s {} -j DROP

Actually, tcpdump rulezz :-)

No comments :

Post a Comment