Tuesday, November 10, 2015

Script to Detect Dos attacks on a Webserver

While DOS attacks are very common on the Webserver , its easy to block the ips causing the Dos attacks. But the trickier part is to detect the Dos attacks as they happen. This would cause your webservers to load if a significant attack occurs but if you move towards the cloud implementation and your environment is under the autoscaling chances are new servers would get attached and absorb that attack. But this would significantly increase up your cost.

Whether you are running your environment in cloud , VMs or physical machine its always good to automate the detection of the Dos attacks as soon as it occurs. We are going to create a Bash Script to detect the DOS attacks as it happens.

The script runs every 10minutes and checks the access logs for last 10 minutes for the multiple requests coming from same Ips . You can than analyse the number of requests coming from an ips and compare it with the threshold depending upon your environment. This threshold once breached would mail you the details of the ip along with the number of requests that were made from that ip. You can than check the ip reputation and if you found something amiss you can block it thus preventing your web-servers as soon as it occurs.You can block it using the security groups in the Amazon AWS firewall , a simple deny rule in your webservers or using the iptables .

Use the following Script to detect the Dos attacks. Included the comments for the easy understanding of the script, comment below in case you are struck.

### Script to check the Dos attacks from an ip in the access logs
### Created By Ankit
#### dt would generate the timestamp for the last 10mins in the format used in access logs
dt=`date +'%d/%b/%Y:%H:%M' --date '-10 min'`
i=`expr $len - 1`
#### we would grep the access log for the last 10minutes and print only ips with the number of counts
#### And than we are going to isolate those ips in a iplist.txt file in /tmp directory
cat /var/log/httpd/site-access-log | grep $dt | awk '{print $1}' | sort | uniq -c | sort -n > /tmp/iplist.txt
### Assigning the variable to the file so it can be read a line at a time
while IFS= read line
### This would match the counts with the threshold in our case 2000 requests every 10minutes
### Adjust this counter based on your environment
count=`echo "$line" | awk '{print$1}'`
if [ $count -gt 2000  ]
### If thresholds gets breached list the count along with ips into the suspiciousiplist.txt
echo "$line" >> /tmp/suspiciousiplist.txt
done < "$file"
### We are going to count the number of lines in the syspicousiplist.txt
### which should be greater than 1 to generate and sent the list in the mail
number=`cat /tmp/suspiciousiplist.txt | wc -l`
if [ $number -gt 0 ]
echo "Suspicious Ip details on the xyz.com webserver attached with the mail"  | /bin/mail -v -s "Suspicious IP Details on xyz.com" -a /tmp/suspiciousiplist.txt [email protected]
### Once the mail has been sent delete the files you created temporarily to store the values
rm -f /tmp/suspiciousiplist.txt
rm -f /tmp/iplist.txt


Post a Comment