Sunday, 2 June 2013

Linux - DDoS Deflate To Block DDoS Attack

(D)DoS Deflate is a shell script developed by Zaf, originally for use on MediaLayer servers to assist in combating denial of service attacks. However, it was seen to be very effective for our purpose and It is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

IP addresses with over a pre-configured number of connections are automatically blocked in the server's firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)

Notable Features:

It is possible to white-list IP addresses, via /usr/local/ddos/ignore.ip.list.

Simple configuration file: /usr/local/ddos/ddos.conf

IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)

The script can run at a chosen frequency via the configuration file (default: 1 minute)

You can receive email alerts when IP addresses are blocked.

Installation:

# wget http://www.inetbase.com/scripts/ddos/install.sh
# chmod 0700 install.sh
# ./install.sh


Uninstallation:

# wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
# chmod 0700 uninstall.ddos
# ./uninstall.ddos


If you start receiving mails like "Quote:Banned the following ip addresses on xxx xxx time xxx with xxx connections"

A fix is here,


which it requires that you replace the netstat command in the ddos.sh file (located in /usr/local/ddos directory if you installed in the default fashion).

In the original script line 117 reads…

Code:

# netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

this should be rewritten to read as follows…

Code:

# netstat -ntu | grep ‘:’ | awk ‘{print $5}’ | sed ‘s/::ffff://’ | cut -f1 -d ‘:’ | sort | uniq -c | sort -nr > $BAD_IP_LIST

How To Check The Number Of Connected Ips:-

# sh /usr/local/ddos/ddos.sh

How To Edit Configuration File:-

# vi /usr/local/ddos/ddos.conf

How To Restart DDos Deflate:-

# sh /usr/local/ddos/ddos.sh -c

Cheers!!!

No comments:

Post a Comment