[ATrpms-users] dl.atrpms.net connection problems
Axel Thimm
Axel.Thimm at ATrpms.net
Fri Nov 9 01:16:28 CET 2007
On Fri, Oct 26, 2007 at 11:52:21PM -0700, David Rees wrote:
> On 10/24/07, Axel Thimm <Axel.Thimm at atrpms.net> wrote:
> > netstat -pan | grep -E 'XXXX:80' | grep -v TIME_WAIT | awk '{print $5}' \
> > | sed -e's,:[^:]*$,,' -e's,.*:,,' | sort | uniq -c | sort -n \
> > | grep -v '^ *[0-9] ' \
> > | grep -v '^ *[0-3][0-9] ' \
> > | awk '{print $2 " " $1 " " '`date +%s`'}' \
> > | grep -vf /etc/blockedhosts.plain \
> > >> /etc/blockedhosts
>
> I think if you changed this to only grep for ESTABLISHED connections,
A lot of real DoS attacks are on SYN/SYNACK, but yes, it would
probably block the download accelerators which are the real problem.
> or also grep -v FIN_WAIT connections as well as TIME_WAIT, it may work
> a bit better for avoiding false positives.
OK. I'll try that.
--
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.atrpms.net/pipermail/atrpms-users/attachments/20071109/92e3c9fe/attachment.bin
More information about the atrpms-users
mailing list