#!/bin/sh

A="xx.yy.zz.aa" #target webserver address
P="80"            #target webserver port
D="eth0"          #device on which webserver target address is bound

while true
do
sleep 140 && killall tcpdump & #grab 140 seconds
tcpdump -ni $D |grep S | grep $A"."$P |perl -p -e "s/^.*IP\s//g;s/\s.*//"|grep -v $A|cut -d. -f1,2,3,4 > crap.txt
cat crap.txt |sort |uniq -c |sort -rn|perl -p -e "s/^\s+//ig;s/^\d\d?\s.*//" |sort |uniq > crap2.txt
for N in `cat crap2.txt|cut -d" " -f2`;do echo $N; iptables -I INPUT -s $N -d $A -j DROP;done
done


#"target version" with iptables
#"router version" does 'ip route blackhole $N'
#> 100 syn packets per timelimit -> exit
# pakt ook netjes de "laatste" " IP ... nogwat" en niet de eerste
#want bij tunnels heb je dat kreng 2 keer 
#en de eerste is dan altijd het source address van je -tunnel-