Loading...

Use Netstat And Iptables to stop Scraper Attack

HomeUse Netstat And Iptables to stop Scraper Attack

Use Netstat And Iptables to stop Scraper Attack

Tags:
  • Created: 28/01/2020
  • Author: Matt
  • Category: ,
  • Views: 26433

First I would like to say that I’m no expert in this in anyways.

I learn most of this from colleagues or the web.

 

Every Server config is different and the command in this article may need to be adjusted to your iptables config.

If you don’t know what you are doing you may lock legitimate traffic or yourself out of your server.

Use this as a guide not a tutorial.

 

A few weeks ago, on one of the server I manager we receive alert for an abnormal CPU usage.

After a few checks, it was not because of website error / or Coding / Cron error.

At first, it looks like a small DDOS attack.

 

 

Using Netstat we found that it was a scraper attack.

A scraper attack OR Data mining attack that was targeting all the pages of our client Web store.

 

I will list all the commands that we use to find the pattern and block the attack.

 

First, we need to check who is connected to your site/server.

This command will list all IP address that is trying to connect to your server or are connected

netstat -ant | awk '{print $5}' | cut -d":" -f1 | sort | uniq -c | sort -nr

If in the result you can see some patterns like Sequence of IP …

 

You can use this command to check established a connection to your server.

netstat -ant | grep ESTAB | awk '{print $5}' | cut -d":" -f1 | sort | uniq -c | sort -nr

Using a website likeĀ https://whatismyipaddress.com/ip/ you can check the provenance of the IP.

 

Using Iptables you can DROP connection to those IPs.

 

To list Iptables rules.

iptables -L

If you need to add lines number in the list use this command.

iptables -L --line-numbers

 

To block a specific IP with iptables use this.

iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP

 

To block a /24, /16 or /8 blocks of IP use this.

Replace the xxx.xxx.xxx or the xxx.xxx with the correct number

iptables -I INPUT -s xxx.xxx.xxx.0/24 -j DROP
iptables -I INPUT -s xxx.xxx.0.0/16 -j DROP
iptables -I INPUT -s xxx.0.0.0/8 -j DROP

To remove a rule first list all the rule with the line number using the correct command:

iptables -L --line-numbers

Then use this command to remove the line that you want to remove. Where the x is the line number.

iptables -D INPUT x
Is this article helpful?
0 No
Share this article

Related Articles

Leave a comment