I have collected over 390 000 IP addresses from a DDoS attack in a text file.
It's collected from /var/log/httpd-access.log with
Then I'm removing all the duplicates ant sorting the IP addresses:
Then the list is loaded to a pf table:
The file is big now, and contains roughly 390 000 IP addresses.
There are roughly 10 000 hits every 5 minutes.
FreeBSD handles it fine, but php-fpm is spiking the CPU cores too 100%
Many of the IP addresses is coming from the same "infected" net, like this:
The question: Is there any script out there, that can check the net IP, and make a CDIRs to a file instead?
It would be so much easier to maintain.
Or are there any limitations to pf and the table sizes?
I have made the following changes:
Is btw
Thanks,
It's collected from /var/log/httpd-access.log with
awk, like this: awk '$11 == "404" && index($9, "/url-being-attacked") {print $1}' /var/log/httpd-access.log | sort -n >> /usr/local/etc/pf.ip.ddos.list Then I'm removing all the duplicates ant sorting the IP addresses:
sort pf.ip.ddos.list | uniq > pf.ddos.list Then the list is loaded to a pf table:
Code:
### DDoS Table
table <ddos> persist file "/usr/local/etc/pf.ddos.list"
block in quick from <ddos> to anyThe file is big now, and contains roughly 390 000 IP addresses.
There are roughly 10 000 hits every 5 minutes.
FreeBSD handles it fine, but php-fpm is spiking the CPU cores too 100%
Many of the IP addresses is coming from the same "infected" net, like this:
Code:
...
103.111.225.0
103.111.225.0
103.111.225.0
103.111.225.0
103.111.225.0
103.111.225.0
103.111.225.0
103.111.225.0
103.111.225.0
…The question: Is there any script out there, that can check the net IP, and make a CDIRs to a file instead?
Code:
103.111.225.0/32It would be so much easier to maintain.
Or are there any limitations to pf and the table sizes?
I have made the following changes:
Code:
sysctl net.pf.request_maxcount=1500000
set limit table-entries 1500000Is btw
sysctl net.pf.request_maxcount=1500000 lost upon reboot?Thanks,
