Enterprise Linux Log

Oct 4 2007   11:28AM GMT

Handy script protects Linux against traffic spikes

ITKE ITKE Profile: ITKE

We received another user-submitted Linux script for our “Share scripts… win Starbucks” series. This one comes from David Witham, who writes:

I administer a consumer VoIP switch for a VSP. The switch acts as a SIP registrar and proxy. Many thousands of devices register and re-register with the registrar every few minutes so there’s a pretty constant stream of traffic hitting it. Some SIP devices have flakey firmware and misbehave in such a way that they flood the registrar with registration requests to the point that performance is compromised, so I needed a way to protect the registrar from those devices.

I wrote a script that takes a sample of network traffic using Ethereal, checks for IP addresses transmitting excessive packets and blocks them by adding them to a list of addresses to drop in the INPUT chain of iptables.

David suggests running the script every 15 minutes to allow new IP addresses to be added to the list, then flushing the addresses and re-adding them so IP addresses that have stopped flooding can re-register.

Give it a try. This script was optimized for RHEL4 but should run on other Linux and Unix systems that have Ethereal or iptables. Feel free to modify it any way you like, or maybe you have one of your own to share? Share a script with us and, if we use it, we’ll treat you to Starbucks.

Keep the scripts coming!

#!/bin/bash
#
# Run from cron on a frequent basis, including on the hour, to block IP addresses flooding with SIP requests
# Use -f to force a flush of the INPUT chain
#
# First 3 octets of destination IP address of the flooding packets

BASE=xxx.xxx.xxx

# Whole destination IP address of the flooding packets

HOSTIP=xxx.xxx.xxx.xxx

# Interface on which the flooding is occurring

INTERFACE=eth3

# Flush iptables INPUT filter chain each hour in case some IPs have stopped flooding and are genuinely trying to use the service
if [ $(date +%M) = "00" -o "$1" = "-f" ]; then
        /sbin/iptables -F INPUT
        # Wait 5 seconds for IPs to start flooding again (most flooding IPs send REGISTER every 4 seconds if not getting a response)
        sleep 5
        # Add IP address to drop to iptables INPUT filter chain. Repeat a couple of times to catch all IPs
        /usr/sbin/tethereal -i $INTERFACE-a duration:10 2>/dev/null | awk ‘{print $2;print $4}’ | grep -v $BASE | sort | uniq -c | sort -rn | awk ‘$1 > 30 {print $2}’ | while read ip; do /sbin/iptables -A INPUT -s $ip -d $HOSTIP -j DROP ; done
        sleep 5
        /usr/sbin/tethereal -i $INTERFACE-a duration:10 2>/dev/null | awk ‘{print $2;print $4}’ | grep -v $BASE | sort | uniq -c | sort -rn | awk ‘$1 > 30 {print $2}’ | while read ip; do /sbin/iptables -A INPUT -s $ip -d $HOSTIP -j DROP ; done
        sleep 5
        /usr/sbin/tethereal -i $INTERFACE-a duration:10 2>/dev/null | awk ‘{print $2;print $4}’ | grep -v $BASE | sort | uniq -c | sort -rn | awk ‘$1 > 30 {print $2}’ | while read ip; do /sbin/iptables -A INPUT -s $ip -d $HOSTIP -j DROP ; done
else
        # Add more IP addresses to drop to iptables INPUT filter chain
        /usr/sbin/tethereal -i $INTERFACE-a duration:10 2>/dev/null | awk ‘{print $2;print $4}’ | grep -v $BASE | sort | uniq -c | sort -rn | awk ‘$1 > 30 {print $2}’ | while read ip; do /sbin/iptables -A INPUT -s $ip -d $HOSTIP -j DROP ; done

fi 

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: