Denial of service mitigation techniques? What do you do?
John Hascall
john at iastate.edu
Fri Apr 8 15:28:41 UTC 2011
> I'm thinking maybe a script that watches the dhcp log and picks out MAC
> addresses that are pummeling.
This is our approach. This script drops the "dhcpigs", as we call them,
into a DB table that our config file builder uses and thus those hosts
get an "ignore booting" in the config file. Here's the guts of the deal
(takes a chunk of syslog as input, say rotate files every hour and then
process the last hour's worth):
grep -E "dhcpd: DHCP(DISCOVER|REQUEST|RELEASE)" | \
sed 's/^.*dhcpd: DHCP//;s/ (.*)//;s/ via .*$//;s/ [of][fo].* [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*//' | \
awk '$0 ~ ":" {print $3,$1}' | \
sort | \
uniq -c | \
(
echo "# `date`"
awk "\$1 >= ${THRESHOLD} {print}"
) > ${DHCPIGS}
# now make DB entries from it
/var/netreg/bin/bacon -t ${FORGETDAYS} < ${DHCPIGS}
If you needed a faster response, you could do something similar to this
in real-time via syslog.conf:
daemon.* |exec /var/netreg/bin/watch-for-piggies
Of course, this sort of thing sounds like just the sort of stuff your
new management would hate :(
anyway, hope this helps,
John
More information about the dhcp-users
mailing list