AppSec Blog

DoS Attack After Action Report - Shell Scripts

I wrote up a quick after action report with details about the little DoS attack that hit us. I figure that it may be handy for others to know about it.For the full report see http://isc.sans.org/presentations/jan4ddos.pdf

I mention in the report that simple shell scripts are helpful to quickly get a look at your logs while under attack. So here for the appsec streetfighters out there, some of the shell scripts I keep around to summarize my logs in a case like that:

Most recent top referrers.Defaults to last 10000 lines, but you can override that via a command line parameter.

#!/bin/sh
r=$1
if [[ $r -lt 1 ]]; then
r=10000
fi
tail -$r access_log | cut -f4 -d'"' \
| egrep -v 'http[s]?:\/\/isc[12]?\.sans\.org' \
| grep -v 'http:\/\/www.dshield.org\/' | sort | uniq -c | sort -n

Top hosts accessing the site:

#!/bin/sh
r=$1
if [[ $r -lt 1 ]]; then
r=10000
fi
tail -$r access_log | cut -f1 -d' ' \
| sort | uniq -c | sort -n

The top URLs accessed on the site

#!/bin/sh
r=$1
if [[ $r -lt 1 ]]; then
r=10000
fi
tail -$r access_log | cut -f2 -d'"' \
| sort | uniq -c | sort -n

and finally, the top user agents

#!/bin/sh
r=$1
if [[ $r -lt 1 ]]; then
r=10000
fi
tail -$r access_log | cut -f6 -d'"' | sort | uniq -c | sort -n

Nothing magic here. Just some simple functional shell scripts that have proven themselves many times before. I am using a slightly cusotmized "combined" log format in Apache. The column numbers may differ for your install. You will have to replace 'access_log' with the file name for your log.

Post a Comment






Captcha


* Indicates a required field.