KB N°2627: IDENTIFY THE IP'S THAT GENERATE THE MOST CONNECTIONS

Published November 20, 2023

One of the causes of proxy slowdown is "spam" generated by one or more IP addresses. Here's a command-line script that sorts IP addresses by number of connections.

Context

One of the causes of proxy slowdowns is "spam" generated by one or more IP addresses.

For example, if software X on a client workstation is unable to authenticate itself on a proxy, it will try endlessly to connect to the Internet, generating a considerable number of requests, sometimes at a frenetic pace. This pollution will have an impact on overall network performance.

Here's a command-line script to sort IP addresses by number of connections.

Steps

Step 1

  1. Go to chroot (does not apply to boxes): chroot /opt/olfeo5/chroot
  2. Go to the /root directory :cd /root
  3. Create the script count.py :
#!/usr/bin/python

import sys

result = {}

for access_line in sys.stdin:
ip = access_line.split()[2]
try:
result[ip] += 1
except KeyError:
result[ip] = 1

result = result.items()

result.sort(key=lambda a: a[1], reverse=True)


somme = 0
for ip, count in result:
print "%s\t%s" % (count, ip)
somme += count
print "Total :", somme
  • Save and make this script executable: chmod +x count.py

Step 2

  1. Run script :cat /opt/olfeo5/data/proxy/log/access.log | ./compter.py | lessFor the previous day :cat /opt/olfeo5/data/proxy/log/access.log.1 | ./compter.py | less

    You can use zcat for older ones.

  2. Use the "q" key to exit the script.

Step 3

Identify "spamming" IPs.

144041  86.5.43.50
1271    109.1.13.76
1245    214.94.9.221
939     212.18.8.52
804     192.25.216.1
343     8.17.160.2
199     10.27.5.5
156     94.13.49.35
132     8.12.5.7

We can clearly see that IP 86.5.43.50 is out of sync with the other addresses.

To determine the nature of the navigation, run :

grep 86.5.43.50 /opt/olfeo5/data/proxy/log/access.log | less

Use the "q" key to exit the command.

Validation

If the traffic considered "spam" is indeed illegitimate, and the appropriate measures are taken (authentication bypass via ACL squid, software setup or uninstallation, etc.), the number of connections per day should return to normal in the following days.