Coincidentally, last night, at about 17:00 we suffered an intensive DDoS via CGI. The unique client count is now over 3,000. Fortunately I was running a tail at the time and noticed it pretty quickly which allowed me to restore order relatively quickly. I brought up another instance of swatch on for the access_log which has been watching for the DoS pattern. On hits, it passes the IP of the attacker to a script that adds firewall rules. The initialization looks like: /usr/bin/swatch --use-cpan-file-tail --config-file=/etc/swatch2.conf \ --daemon --awk-field-syntax --tail-file=/var/log/httpd/access_log The conf file looks like: watchfor /RegEx Pattern of Exploit/i exec "/usr/local/bin/ipt-ddos $1" -- Do NOT Send Email to <spam trap> Fedora@TQMcube,com Our DNSRBL - Eliminate Spam at The Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list