Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
One of my networks has a pretty high amount of sustained traffic due to we host a lot of domains (as high as 850k connections per second ~60Mbits/sec average). Over the years we've seen a lot of DDOS traffic that opens a port and just holds open the connection. We've come up with quite a few custom scripts that run on the firewall (linux/iptables) to use tcpdump to analyze the traffic and tell us what IPs are causing the most traffic to hit us ased on packet size, as well as another script that can tell us which domain is getting hit the most. But is there a way using tcpdump (or another tool) to show what the idle connections are? I realize that tcpdump is made for inspecting the packets of traffic and new connections, and in this case it's just someone opening a port and keeping it open. Second question, once I have a list of these IPs and ports, is there an way to drop that connection without affecting all the other valid traffic. I just want to close that one connection. -matt http://www.sysadminvalley.com http://www.beantownhost.com http://www.linkedin.com/in/mattboston Joan Crawford<http://www.brainyquote.com/quotes/authors/j/joan_crawford.html> - "I, Joan Crawford, I believe in the dollar. Everything I earn, I spend."
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |