http://enterpriselinuxlog.blogs.techtarget.com/category/scripts/
We received another user-submitted Linux script for our “Share scripts… win Starbucks” series. This one comes from David Witham, who writes:
I administer a consumer VoIP switch for a VSP. The switch acts as a SIP registrar and proxy. Many thousands of devices register and re-register with the registrar every few minutes so there’s a pretty constant stream of traffic hitting it. Some SIP devices have flakey firmware and misbehave in such a way that they flood the registrar with registration requests to the point that performance is compromised, so I needed a way to protect the registrar from those devices.
I wrote a script that takes a sample of network traffic using Ethereal, checks for IP addresses transmitting excessive packets and blocks them by adding them to a list of addresses to drop in the INPUT chain of iptables.
David suggests running the script every 15 minutes to allow new IP addresses to be added to the list, then flushing the addresses and re-adding them so IP addresses that have stopped flooding can re-register.
Give it a try. This script was optimized for RHEL4 but should run on other Linux and Unix systems that have Ethereal or iptables. Feel free to modify it any way you like, or maybe you have one of your own to share? Share a script with us and, if we use it, we’ll treat you to Starbucks.
Keep the scripts coming!
#!/bin/bash
#
# Run from cron on a frequent basis, including on the hour, to block IP addresses flooding with SIP requests
# Use -f to force a flush of the INPUT chain
#
# First 3 octets of destination IP address of the flooding packets
BASE=xxx.xxx.xxx
# Whole destination IP address of the flooding packets
HOSTIP=xxx.xxx.xxx.xxx
# Interface on which the flooding is occurring
INTERFACE=eth3
# Flush iptables INPUT filter chain each hour in case some IPs have stopped flooding and are genuinely trying to use the service
if [ $(date +%M) = “00″ -o “$1″ = “-f” ]; then
/sbin/iptables -F INPUT
# Wait 5 seconds for IPs to start flooding again (most flooding IPs send REGISTER every 4 seconds if not getting a response)
sleep 5
# Add IP address to drop to iptables INPUT filter chain. Repeat a couple of times to catch all IPs
/usr/sbin/tethereal -i $INTERFACE-a duration:10 2>/dev/null | awk ‘{print $2;print $4}’ | grep -v $BASE | sort | uniq -c | sort -rn | awk ‘$1 > 30 {print $2}’ | while read ip; do /sbin/iptables -A INPUT -s $ip -d $HOSTIP -j DROP ; done
sleep 5
/usr/sbin/tethereal -i $INTERFACE-a duration:10 2>/dev/null | awk ‘{print $2;print $4}’ | grep -v $BASE | sort | uniq -c | sort -rn | awk ‘$1 > 30 {print $2}’ | while read ip; do /sbin/iptables -A INPUT -s $ip -d $HOSTIP -j DROP ; done
sleep 5
/usr/sbin/tethereal -i $INTERFACE-a duration:10 2>/dev/null | awk ‘{print $2;print $4}’ | grep -v $BASE | sort | uniq -c | sort -rn | awk ‘$1 > 30 {print $2}’ | while read ip; do /sbin/iptables -A INPUT -s $ip -d $HOSTIP -j DROP ; done
else
# Add more IP addresses to drop to iptables INPUT filter chain
/usr/sbin/tethereal -i $INTERFACE-a duration:10 2>/dev/null | awk ‘{print $2;print $4}’ | grep -v $BASE | sort | uniq -c | sort -rn | awk ‘$1 > 30 {print $2}’ | while read ip; do /sbin/iptables -A INPUT -s $ip -d $HOSTIP -j DROP ; done
fi
===========================================