I've written a shell script that parses the /var/log/messages, greps the ddos attack lines , groups and counts the individual ip's involved into file /opt/var/log/totalled
it goes something like this
get-logs.sh
<<
#!/bin/sh
LOGFILE="/var/log/messages"
COMBINED="/opt/var/log/combined"
TOTALLED="/opt/var/log/totalled"
get_logs()
{
grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" -o $LOGFILE >> $COMBINED
cat $COMBINED | sort | uniq -c > $TOTALLED
echo "individual ddos attacks"
wc -l $COMBINED
echo "individual ddos drones"
wc -l $TOTALLED
}
get_logs
>>
I've also written a shell script to gather information about the ip's involved, like server name,
and written a script that invokes webservices of ripe, arin etc to get the abuse email address of all servers involved.
I'm pondering if it would be a good idea to send a mail to the abuse mail adresses.
