Linux Security script to determine DDOS origin location
In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
On various Nix server setups we are always exposed to the DDOS attacks from various other similar setups or intended use. Often in some cases our server is used as a Botnet machine to exploit resources on other systems.
These attacks can be verified from the shell in a form of many open sockets from one or more IP addresses. Often these open sockets are more than 150 , which is not normal. Many IT people are using a DDOS prevention scripts to ban those IP addresses. I stumbled upon a request from a friend to write a script that will tell us the Country of attack origin. This was always missing in our troubleshooting.
So I have written a small and useful script, that is a combination of often used Netstat and Whois commands that can be found online. Also similar script code can be found on the internet, and people can adjust the code to their needs. I needed a script that will associate and display the origin of country and the IP socket combination.
Code
#!/bin/bash
{
cat=$( netstat -ntu | grep ':' | awk '{print $5}' | sed 's/::ffff://' | cut -f1 -d ':' | sort | sort -nr | less);
for i in $cat; do
Country=$( whois $i | grep -i Country | awk '{print $2}' );
echo "Land+IP= $Country $i ";
done;
}
end of code.
To elaborate more on code I will explain the details. I am using the Bash shell scripting, which is very common. This code is using a Netstat command from the classic and tuned ddos Deflate script that is common for fighting DDOS attacks.
netstat -ntu | grep ':' | awk '{print $5}' | sed 's/::ffff://' | cut -f1 -d ':' | sort | sort -nr | less
This command gives us the output of IP sockets and we print them out using the AWK for text processing. I have attached the sed switch to replace the empty addresses and space with null ffff value.
The sort and less switches are helpful for sorting and properly displaying the addresses. I have put this into on CAT function and defined this concencated output with a $ sign as a variable.
The variable is further used for a loop that is needed for the WHOIS command which will tel use the Country of origin. Classic for loop is using a i for the increment value.
Country=$( whois $i | grep -i Country | awk '{print $2}' );
If we use the whois command with the grep function for the Contry it will only display us the Country of origin. So I have used this command with the incremented concencated display in the loop.
Simple enough we get a display of current IP sockets with Country of origin:
Land+IP= BA 71.222.xxx.xxx
Land+IP= BA 71.222.xxx.xxx
Land+IP= BA 71.222.xxx.xxx
Land+IP= BA 71.222.xxx.xxx
Land+IP= IT 88.138.xxx.xxx
Land+IP= IT 88.138.xxx.xxx
Land+IP= IT 88.138.xxx.xxx
Land+IP= IT 88.138.xxx.xxx
Land+IP= BA 61.38.xxx.xxx
Land+IP= BA 61.38.xxx.xxx
Land+IP= BA 61.38.xxx.xxx
Land+IP= BA 61.38.xxx.xxx
Land+IP= BA 61.38.xxx.xxx
So this output will generate all the Sockets, and if we see many exact same sockets from one Country we can pinpoint the location and origin from the attack. Script can be more fine tuned so everyone is welcome.
Feel free to code.