Here is a simple script that will show you what IP addresses are making how many requests to your server.
<?php ## Functions ## function getIP($line) { ereg("[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}",$line,$regMatch); $ip = $regMatch[0]; if($ip) return $ip; else return "false"; } function processString($string, $size = 18) { $string = "[ ".$string; $length = strlen($string); $toAdd = $size - $length; for($x = 0; $x < $toAdd; $x++) { $string = $string." "; } $string = $string."]"; return $string; } ## Code ## while (true) { $cmd = "netstat -n | awk '{ print $5 }'"; exec($cmd, $netstatArray); $ipArray = array(); foreach($netstatArray as $line) { $ip = getIP($line); if($ip != "false" && ip != "127.0.0.1") { if(array_key_exists($ip, $ipArray)) { $ipArray[$ip]+=1; } else // if not, count=1 { $ipArray[$ip] = 1; } } } asort($ipArray); system("clear"); foreach($ipArray as $ip => $count) { if ($count < 15) continue; echo processString($ip); echo "\t" .processString(gethostbyaddr($ip), 55); echo "\tTimes Accessed: " .$count ."\n"; } echo str_repeat("-", 50) ."\n"; exec("top -n 1", $top_str); preg_match("#load average:(.+)#i", $top_str[0], $match); echo "Load Average: " .$match[1] ."\n"; echo str_repeat("-", 50) ."\n"; echo 'Showing $count >= 15: (Escape with ctrl+c)' ."\n"; sleep(10); } ?>
After identifying the IP addresses that are sending many requests at once to crash your server, you can ban them using a firewall software. I personally recommend APF: http://rfxnetworks.com/apf.php
You can do:
apf -d THEIPADDRESS SOMECOMMENTLIKEPOSSIBLEDOS
This script was originally written by a former employee of Acenet Inc and was modified by me. Acenet Inc is a great web hosting company with great support and fantastic staff members who will help you 24×7.
Here is some info about Denial of Service attacks (DoS attacks).
http://en.wikipedia.org/wiki/Denial-of-service_attack
I hope this helps someone.
4 Comments 
Leave a comment
I'm the co-founder of
I don’t get it; if you’re under attack you do not want to use expensive scripts (system() & gethostbyaddr() are terribly slow). Why not stop them ‘at the gate’ (ie; apache) ? You’d be better of using mod-evasive ( http://bit.ly/DwdCM )
Comment
First of all, I don’t really know what you mean by expensive, a system() or gethostbyaddr() are not resource intensive at all, not even close to 1,000s of requests being handled by Apache in the event of a DoS attack.
When my servers are going down because of a DoS attack, these tiny system() and gethostbyaddr() calls are the last thing I’m worried about.
This script will show you the IP addresses and you can deny them by adding them to your firewall and in action, we found that it very useful and helped us recover from the attacks without needing to restart anything.
It is also used by this huge hosting company to do the exact same thing.
Mod_evasive sounds great but we couldn’t install it at the time of the DoS attack.
Comment
Very nice script.
Ivo, instead of stopping them on the Apache level, why not on the server level before Apache even has to interact with the request? This script does just that if you’re using APF or another firewall.
Comment
Yes, you could find the IPs like this and ban them using APF, that is more efficient but that is assuming there is APF or you can install it…
Comment