Coincidentally, last night, at about 17:00 we suffered an intensive
DDoS via CGI. The unique client count is now over 3,000. Fortunately I
was running a tail at the time and noticed it pretty quickly which
allowed me to restore order relatively quickly.
I brought up another instance of swatch on for the access_log which
has been watching for the DoS pattern. On hits, it passes the IP of
the attacker to a script that adds firewall rules.
The initialization looks like:
/usr/bin/swatch --use-cpan-file-tail --config-file=/etc/swatch2.conf \
--daemon --awk-field-syntax --tail-file=/var/log/httpd/access_log
The conf file looks like:
watchfor /RegEx Pattern of Exploit/i
exec "/usr/local/bin/ipt-ddos $1"
--
Do NOT Send Email to <spam trap> Fedora@TQMcube,com
Our DNSRBL - Eliminate Spam at The Source: http://www.TQMcube.com
Don't Subsidize Criminals: http://boulderpledge.org
