add files

ddos/check_apache_status.sh

+#!/bin/sh
+
+# uncomment one of
+MAXPERC=30
+#MAXNUM=100
+
+MAXLIST=30
+
+OURIP1="212.176.200.22"
+
+
+>$0.full.list
+links http://azbyka.ru/server-status | grep -A1000 " Client " | (
+read FORMAT
+while read $FORMAT ; do
+    echo $Srv | grep -q -- "------" && break
+    echo "$M $Client $Request"
+    [ -n "$Client" ] || continue
+    echo "$Client" >>$0.full.list
+done
+)
+
+get_already_dropped()
+{
+        /sbin/iptables -L -n | grep DROP | awk '{print $4;}' > ipt.dropped.list
+}
+
+do_drop()
+{
+        IP="$1"
+        #IP="${IP%.*}.0/24"
+        grep -q "$IP" ipt.dropped.list white.list && return 1
+        echo "$IP # $3 ($2 percent), $(date) by $0" >> dropped.list
+        /sbin/iptables -A INPUT -s $IP -j DROP
+}
+
+get_already_dropped
+
+
+NUMP=$(cat $0.full.list | wc -l)
+
+echo "Sort results..."
+cat $0.full.list | uniq -c | sort -r -n | head -n $MAXLIST > $0.attack.list
+
+#while read srv PID Acc M CPU SS Req Conn Child Slot
+
+TOTALATTACKED=0
+TOTALALREADY=0
+while read c ip ; do
+        [ -n "$ip" ] || continue
+        grep -q $ip white.list && { echo Skip; continue; }
+        perc=$((100*$c/$NUMP))
+        echo "$c = $ip ($perc %)"
+        [ -n "$MAXPERC" ] && IFCASE="$perc -ge $MAXPERC" || IFCASE="$c -ge $MAXNUM"
+        if [ $IFCASE ] ; then
+                if do_drop $ip $perc $c ; then
+                    echo "Drop IP $ip with $perc percent traffic"
+                    TOTALATTACKED=$(($TOTALATTACKED+$c))
+                else
+                    echo "IP $ip already dropped"
+                    TOTALALREADY=$(($TOTALALREADY+$c))
+                fi
+        fi
+done < $0.attack.list
+
+echo "Checked packages: $NUMP. Attacker: $TOTALATTACKED ( $((TOTALATTACKED*100/$NUMP)) %) Already percent: $TOTALALREADY ( $((TOTALALREADY*100/$NUMP)) %)" | tee result.out

ddos/check_nginx-error.sh

+#!/bin/sh
+
+cd $(dirname $0)
+
+# uncomment one of
+#MAXPERC=40
+MAXNUM=40
+
+MAXLIST=30
+
+OURIP1="212.176.200.22"
+
+get_already_dropped()
+{
+        /sbin/iptables -L -n | grep DROP | awk '{print $4;}' > ipt.dropped.list
+}
+
+do_drop()
+{
+        IP="$1"
+        #IP="${IP%.*}.0/24"
+        grep -q "$IP" ipt.dropped.list white.list && return 1
+        domain=$(resolve -s $IP 2>/dev/null)
+        #if [ -n "$domain" ] ; then
+        #    echo "$IP # WARNING ONLY $3 ($2 percent) - $domain, $(date) by $0" >> dropped.list
+        #    return
+        #fi
+        echo "$IP # $3 ($2 percent) - $domain, $(date) by $0" >> dropped.list
+        /sbin/iptables -A INPUT -s $IP -j DROP
+}
+
+do_warning()
+{
+        IP="$1"
+        #IP="${IP%.*}.0/24"
+        grep -q "$IP" ipt.dropped.list white.list && return 1
+        domain=$(resolve -s $IP 2>/dev/null)
+        echo "$IP # WARNING ONLY $3 ($2 percent) - $domain, $(date) by $0" >> dropped.list
+}
+
+get_already_dropped
+
+#echo "Tail *access.log..."
+#tail -n 1000 /var/log/nginx/*access.log | awk '{print $1;}' | \
+#    grep -v "127.0.0.1" | grep -v "0.0.0.0" | grep -v "$OURIP1" | sort > full.list
+
+timeout 10 tail -f -n 300 /var/log/nginx/azbyka.ru-error.log | sed -e "s|.*client: \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*|\1|g" | \
+    grep -v "127.0.0.1" | grep -v "0.0.0.0" | grep -v "$OURIP1" | head -n 1000 |  sort > full.list
+
+NUMP=$(cat full.list | wc -l)
+
+echo "Sort results..."
+cat full.list | uniq -c | sort -r -n | head -n $MAXLIST > attack.list
+
+TOTALATTACKED=0
+TOTALALREADY=0
+while read c ip ; do
+        [ -n "$ip" ] || continue
+        grep -q $ip white.list && { echo Skip; continue; }
+        perc=$((100*$c/$NUMP))
+        echo "$c = $ip ($NUMP, $perc)"
+        [ -n "$MAXPERC" ] && IFCASE="$perc -ge $MAXPERC" || IFCASE="$c -ge $MAXNUM"
+        [ -n "$MAXPERC" ] && IFWCASE="$perc -ge $(($MAXPERC/2))" || IFWCASE="$c -ge $(($MAXNUM/2))"
+        if [ $IFCASE ] ; then
+                if do_drop $ip $perc $c ; then
+                    echo "Drop IP $ip with $perc percent traffic"
+                    TOTALATTACKED=$(($TOTALATTACKED+$c))
+                else
+                    echo "IP $ip already dropped"
+                    TOTALALREADY=$(($TOTALALREADY+$c))
+                fi
+        elif [ $IFWCASE ] ; then
+                if do_warning $ip $perc $c ; then
+                    echo "Warning IP $ip with $perc percent traffic"
+                    TOTALATTACKED=$(($TOTALATTACKED+$c))
+                else
+                    echo "Warning IP $ip already dropped"
+                    TOTALALREADY=$(($TOTALALREADY+$c))
+                fi
+        fi
+done < attack.list
+
+echo "Checked packages: $NUMP. Attacker: $TOTALATTACKED ( $((TOTALATTACKED*100/$NUMP)) %) Already percent: $TOTALALREADY ( $((TOTALALREADY*100/$NUMP)) %)" | tee result.out

ddos/check_nginx.sh

@@ -3,12 +3,12 @@
 cd $(dirname $0)
 
 # uncomment one of
-#MAXPERC=20
-MAXNUM=150
+MAXPERC=40
+#MAXNUM=100
 
 MAXLIST=30
 
-OURIP1="87.249.47.44"
+OURIP1="212.176.200.22"
 
 get_already_dropped()
 {
@@ -26,14 +26,16 @@ do_drop()
 
 get_already_dropped
 
-echo "Tail access.log..."
-# FIXME: compare with azbyka.ru root/bin script
-tail -n 1000 /var/log/nginx/access.log | awk '{print $1;}' | \
-    grep -v "127.0.0.1" | grep -v "0.0.0.0" | grep -v "$OURIP1" | sort > full.list
+echo "Tail *access.log..."
+#tail -n 1000 /var/log/nginx/*access.log | awk '{print $1;}' | \
+#    grep -v "127.0.0.1" | grep -v "0.0.0.0" | grep -v "$OURIP1" | sort > full.list
 
-NUMP=$(cat full.list | wc -l)
+timeout 3 tail -f -n 200 /var/log/nginx/*access.log | awk '{print $1;}' | \
+    grep -v "127.0.0.1" | grep -v "0.0.0.0" | grep -v "$OURIP1" | head -n 1000 |  sort > full.list
 
+NUMP=$(cat full.list | wc -l)
 NUMPUNIQ=$(cat full.list | sort -u | wc -l)
+
 echo "Sort results..."
 cat full.list | uniq -c | sort -r -n | head -n $MAXLIST > attack.list
 

ddos/white.list

+# yandex
+93.158.149.31
+# opera
+80.239.242.142
+# mts
+213.87.133.223
+# msn
+157.56.93.209

web/media_stats.py

+#!/usr/bin/env python
+ 
+import sys
+ 
+urls = {}
+ 
+try:
+    while 1:
+        line = raw_input()
+        line_arr = line.split(" ")
+        try:
+            host = line_arr[-1]
+# remove quotes
+            host = host[1:]
+            host = host[:-1]
+            # CHANGE HERE
+            url = line_arr[6]
+            #url = ""
+            #t = float(line_arr[-2])
+            t = float(line_arr[9])/1024.0
+#            print host, url, t
+ 
+            try:
+                urls[host + url] = (urls[host + url][0] + t, urls[host + url][1] + 1)
+            except KeyError, e:
+                urls[host + url] = (t, 1)
+        except ValueError, e:
+            pass
+ 
+ 
+except EOFError, e:
+   pass
+ 
+def sort_by_value(d):
+    """ Returns the keys of dictionary d sorted by their values """
+    items=d.items()
+    backitems=[ [v[1],v[0]] for v in items]
+    backitems.sort(reverse=True)
+    return [backitems[i][1] for i in range(0,len(backitems))]
+ 
+if (len(sys.argv) > 1):
+    f = open(sys.argv[1], 'r')
+    for k in f.readlines():
+        k = k.strip()
+        try:
+             print urls[k][0], urls[k][1], urls[k][0] / urls[k][1], k
+        except:
+             print 0, 0, k
+else:
+    i = 0
+    alltime = 0
+    # FIXME
+    # reduce(lambda v1, v2 : v1[0] + v2[0], a)
+    for k in sort_by_value(urls):
+        alltime = alltime + urls[k][0]
+        i += 1
+        if i > 100: break
+
+    i = 0
+    for k in sort_by_value(urls):
+        print round(urls[k][0]*100/alltime,1), urls[k][0], urls[k][1], round (urls[k][0] * 1000 / urls[k][1], 0),  k
+        i += 1
+        if i > 100: break

web/media_stats.sh

+#!/bin/sh
+
+FILE=/var/log/nginx/azbyka-media.log
+test -z "$1" || FILE="$1"
+
+echo "=== Requests which took most of the time (from $FILE) ===" > media_report.txt
+echo "percent - overall time - number of requests - average time - url" >> media_report.txt
+
+cat $FILE | ./media_stats.py >> media_report.txt
+#grep "\[25/Dec/2010:" "$FILE" | ./url_stats.py >> url_report.txt
+#cat /tmp/report.txt | mail -s "url performance report" root