Improved Linux DDOS detection program

Improved Linux DDOS detection program

With a lot of help with some friend on the Linux comunity, I have improved the DDOS detection program on Linux systems. This BASH code gives the IT people possibility to fine list what is currently going on at their servers. And what is more important where from.

The code presented in the following blog is not to be used in loops of any sort becuase it would deny the admin resources to log on.

 #Zeljko Milinovic - http://itstuffallaround.blogspot.com/

 #Cached lookup of ddos whois IP sockets

 #v1.1

 #!/bin/bash

 cachefile="$HOME/ddostestercache"

 # return 0 if address is to be filtered from the processed

 filter()

 {

 case "$1" in

 0.* | 127.* | 10.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[0-1].* | 192.168.* | 169.254.*)

 return 0

 ;;

 esac

 return 1

 }

 remote_ips()

 {

 # print only IPv4 addresses

 netstat -tun4 | awk '/:/ {gsub(/:.*/,"",$5);print $5}' | sort -n | uniq -c

 }

 get_country()

 {

 local country=$(sed -nr "s/^$1 (.*)/\1/p" $cachefile 2>/dev/null)

 if [ -z "$country" ];then

 # some queries produce multiple lines so for now use only the first line..

 country=$(whois "$1" | sed -nr 's/^country:[[:space:]]+(.*)/\1/ip' | head -1)

 country=${country:-unknown}

 # cache search result for future use

 echo "$1 $country" >> $cachefile

 fi

 # let's not print the text "unknown" to screen

 [ "$country" = "unknown" ] && unset country

 echo "$country"

 }

 remote_ips | while read count ip;do

 if ! filter $ip;then

 echo "$count $ip $(get_country $ip)"

 fi

 done

And finally the output for the script:

1 50.31.xxx.xxx US

9 98.28.xxx.xxx DK

1 109.12.xxx.xxx BA

As we can see, in the output we have 3 IP addresses, numbered, listed with concurrent connections , and their country origin. This is very useful to detect where from is the attack, and to mitigate fast.

Feel free to code more and comment.