Chinaunix首页 | 论坛 | 博客
  • 博客访问: 230807
  • 博文数量: 57
  • 博客积分: 955
  • 博客等级: 准尉
  • 技术积分: 587
  • 用 户 组: 普通用户
  • 注册时间: 2010-11-14 13:30
文章分类

全部博文(57)

文章存档

2012年(2)

2011年(55)

分类:

2011-05-18 20:59:36

原文地址:应对synflood 攻击的方法 作者:xyaxlz

判断synflood 攻击的方法
#netstat –an |grep SYN_RECV |wc –l
上面的结果如如大于400 有可能为synflood攻击。
1、首先开启syncookie 此为6 次握手才建立起来的TCP 连接。此种方法在10M以下的流量还可以。
在redhat5.5以后是默认开启的
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

2、把syn+ack回应包有5改为3。
#echo 2 > /proc/sys/net/ipv4/synack_retries
#echo 2 > /proc/sys/net/ipv4/tcp_syn_retries
 
3、增大半地址池:
#echo 4096 >/proc/sys/net/ipv4/tcp_max_syn_backlog = 4096
4、把配置加入配置文件,重启机器配置不会消失
#vim /etc/sysctl.conf 加入下面的配置
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_rmem = 32768
net.ipv4.tcp_wmem = 32768
#sysctl -p

5、加入防火墙规则 对Iptables 配置(限制接受包和回应包的速度)
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT
iptables -t filter -A INPUT -p tcp --syn -j DROP
 
 
6、

#!/bin/sh
bip=`tail -n 100000  access.log | awk ' $9 ~ "/" ' | awk '$11 == "499" || $11 == "301" ' |awk '$12 == "0"|| $12 == "306" '|awk '$13 == "\"-\""'|awk '{print $2}'|sort -n|uniq -c |sort -n|tail -n 100|awk '{print $2}'|grep -vE "220.231.22.195|124.207.40.131"`

echo "$bip" >> /root/iptables2.txt
for ip in $bip; do
    /sbin/iptables -A INPUT -s  $ip -j DROP; echo $ip
done

7、

#!/bin/sh
bip=`tail -n 1000  /usr/local/nginx-rewrite/logs/rewrite.xxx.com  | awk ' $9 ~ "/" ' | awk '$11 == "499"  ' |awk '$12 == "0" '|awk '$13 == "\"-\""' | awk '{print $3}' | sort -nr | uniq -c | sort -nr |awk '$1 > 4'  | awk '{print $2}'|grep -vE "220.231.22.195|124.207.40.131"`
bip2=`tail -n 1000  /usr/local/nginx-rewrite/logs/rewrite.xxx.com  | awk ' $9 ~ "/" ' | awk '$11 == "301"  ' |awk '$12 == "306" || $12 == "185" '|awk '$13 == "\"-\""' | awk '{print $3}' | sort -nr | uniq -c | sort -nr |awk '$1 > 4'  | awk '{print $2}'|grep -vE "220.231.22.195|124.207.40.131"`
echo "$bip2" >> /root/iptables2.txt
echo "$bip" >> /root/iptables2.txt
for ip in $bip; do
    /sbin/iptables -A INPUT -s  $ip -j DROP; echo $ip
done
for ip2 in $bip2; do
    /sbin/iptables -A INPUT -s  $ip2 -j DROP; echo $ip2
done

sleep 15
bip=`tail -n 1000  /usr/local/nginx-rewrite/logs/rewrite.xxxx.com  | awk ' $9 ~ "/" ' | awk '$11 == "499"  ' |awk '$12 == "0" '|awk '$13 == "\"-\""' | awk '{print $3}' | sort -nr | uniq -c | sort -nr |awk '$1 > 4'  | awk '{print $2}'|grep -vE "220.231.22.195|124.207.40.131"`
bip2=`tail -n 1000  /usr/local/nginx-rewrite/logs/rewrite.xxxx.com  | awk ' $9 ~ "/" ' | awk '$11 == "301"  ' |awk '$12 == "306" || $12 == "185" '|awk '$13 == "\"-\""' | awk '{print $3}' | sort -nr | uniq -c | sort -nr |awk '$1 > 4'  | awk '{print $2}'|grep -vE "xxx.231.xxx.195|xxx.2xx.40.131"`
echo "$bip2" >> /root/iptables2.txt
echo "$bip" >> /root/iptables2.txt
for ip in $bip; do
    /sbin/iptables -A INPUT -s  $ip -j DROP; echo $ip
done
for ip2 in $bip2; do
    /sbin/iptables -A INPUT -s  $ip2 -j DROP; echo $ip2
done

sleep 15
bip=`tail -n 1000  /usr/local/nginx-rewrite/logs/rewrite.xxxx.com  | awk ' $9 ~ "/" ' | awk '$11 == "499"  ' |awk '$12 == "0" '|awk '$13 == "\"-\""' | awk '{print $3}' | sort -nr | uniq -c | sort -nr |awk '$1 > 4'  | awk '{print $2}'|grep -vE "220.231.22.195|124.207.40.131"`
bip2=`tail -n 1000  /usr/local/nginx-rewrite/logs/rewrite.xxxx.com  | awk ' $9 ~ "/" ' | awk '$11 == "301"  ' |awk '$12 == "306" || $12 == "185" '|awk '$13 == "\"-\""' | awk '{print $3}' | sort -nr | uniq -c | sort -nr |awk '$1 > 4'  | awk '{print $2}'|grep -vE "xx0.2xx.22.1xx|xx.2xx.xxx.131"`
echo "$bip2" >> /root/iptables2.txt
echo "$bip" >> /root/iptables2.txt
for ip in $bip; do
    /sbin/iptables -A INPUT -s  $ip -j DROP; echo $ip
done
for ip2 in $bip2; do
    /sbin/iptables -A INPUT -s  $ip2 -j DROP; echo $ip2
done

阅读(823) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~