Denial of service mitigation techniques? What do you do?

John Hascall john at
Fri Apr 8 15:28:41 UTC 2011

> I'm thinking maybe a script that watches the dhcp log and picks out MAC
> addresses that are pummeling.

This is our approach.  This script drops the "dhcpigs", as we call them,
into a DB table that our config file builder uses and thus those hosts
get an "ignore booting" in the config file.   Here's the guts of the deal
(takes a chunk of syslog as input, say rotate files every hour and then
process the last hour's worth):

 sed 's/^.*dhcpd: DHCP//;s/ (.*)//;s/ via .*$//;s/ [of][fo].* [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*//' | \
 awk '$0 ~ ":" {print $3,$1}' | \
 sort | \
 uniq -c | \
        echo "# `date`"
        awk "\$1 >= ${THRESHOLD} {print}"
 ) > ${DHCPIGS}
 # now make DB entries from it
 /var/netreg/bin/bacon -t ${FORGETDAYS} < ${DHCPIGS}

If you needed a faster response, you could do something similar to this
in real-time via syslog.conf:

daemon.*                        |exec /var/netreg/bin/watch-for-piggies

Of course, this sort of thing sounds like just the sort of stuff your
new management would hate :(

anyway, hope this helps,

More information about the dhcp-users mailing list