OpenVZ Forum

Home » General » Support » Script to delete VM IP on DDoS attack?
Script to delete VM IP on DDoS attack? [message #50631] Wed, 25 September 2013 13:37
postcd is currently offline  postcd
Messages: 73
Registered: April 2013

on my OpenVZ some VM was under ddos attack and this attack was overloading the node server, unsure what would happen if i was not noticed about this attack.

So my question is if we can setup some bash script, which will get some value like high load on VM or excessive connections to some VPS, some evidence and then automatically remove IP from that VPS by command: vzctl set VMID --ipdel IPADDRESS --save and send mail to admin?

Any idea how and what value to extract as to be a sign of DDoS?

in my case i temporarilly set a script which will delete one VPS IP when load on node is above 30.00 (8 cpus) and send me an email:

LOAD=$(uptime | sed -e "s/^.*[a-z]: //; s/,.*//")
echo "One minute load average = $LOAD"
if test $(echo "$LOAD > $THRESHOLD" | bc -l) == 1 ; then
        vzctl set VMID --ipdel IPADDRESS --save
        mail -s "Server load is $LOAD, VMID IP deleted"
        echo "Load average not too high "
exit 0

then cronjob every half minute (crontab -e):
*/1 * * * * /foo/ >/dev/null 2>&1
* * * * * sleep 30; /foo/ >/dev/null 2>&1

[Updated on: Wed, 25 September 2013 14:15]

Report message to a moderator

Previous Topic: How to Disable nf_conntrack on vz start
Next Topic: When I Install OpenVZ, the server is not accessible.
Goto Forum:

Current Time: Sun May 26 15:16:07 GMT 2024

Total time taken to generate the page: 0.01458 seconds