It works first by running netstat and gathering the ip addresses in a state of SYN_RECV. It then goes out and gets a list of already filtered IP addresses from iptables. Then if there are more than 3 of one ip address in the state of SYN_RECV and if it is not already being dropped by iptables it gets added to a list and dropped. I plan on making this a little more sophisticated in the future, for example one cool thing to do would be to look for ip addresses in the same subnet and drop the subnet if there are enough to justify it. Anyway, if you find this helpful let me know. I've only tested it on Gentoo Linux with PHP 5.1 but I can't imagine it wouldn't work on any BSD based system.
PHP, not just for websites
Posted on February 13, 2006
Some idiot on GameSurge decided to SYN flood the site today. After parting with this lovely message “<JacKer> say bye to your site” a minor synflood from a total of 4 ip addresses hit the webserver. I ssh'ed in realizing I didn’t copy over the old iptables firewall rules to the new webserver box and thus the auto-syn-flood filter wouldn’t kick off. After spending a few minutes coding this PHP script which runs from the CLI, I was able to test it and watch it filter out the 4 ip addresses spewing SYN packets.
The fun of being an IRC network administrator
Posted on January 20, 2006
The following is the log which illustrates the wonderful types of messages I get on GameSurge:
--- Log opened Thu Jan 19 19:23:14 2006
19:23 -!- Irssi: Starting query in gamesurge with GP|Novo[insert-club-here]
19:23 <GP|Novo[insert-club-here]> heya hows it going
19:23 <GP|Novo[insert-club-here]> ip68-108-40-138.lv.lv.cox.net
19:23 <GP|Novo[insert-club-here]> <---- my ip
19:23 <GP|Novo[insert-club-here]> so check this out
19:23 <GP|Novo[insert-club-here]> im offering you a deal
19:24 <GP|Novo[insert-club-here]> NoR|CelciuS-1HP- is a threat to my community
19:24 <GP|Novo[insert-club-here]> im holding gamesurge responsible for his acts if you dont give me his ip
19:25 <GP|Novo[insert-club-here]> you have until 8pm tomorrow to give me his ip
19:25 <GP|Novo[insert-club-here]> or I will take gamesurge and all of its resources offline forever
19:25 <GP|Novo[insert-club-here]> and dont give me that privacy policy bs
19:26 <GP|Novo[insert-club-here]> and if you dont think im serious
19:27 <GP|Novo[insert-club-here]> you know a few ppl
19:27 <GP|Novo[insert-club-here]> do the names
19:27 <GP|Novo[insert-club-here]> Sisco and bman mean anything to you
19:30 -!- GP|Novo[insert-club-here] [~none@ip68-108-40-138.lv.lv.cox.net] has quit [Quit: ( www.nnscript.de :: NoNameScript 3.81 :: www.XLhost.de )]
--- Log closed Thu Jan 19 19:36:25 2006
