Linux - DDoS Deflate To Block DDoS Attack
(D)DoS Deflate is a shell script developed by Zaf, originally for use on
MediaLayer servers to assist in combating denial of service attacks.
However, it was seen to be very effective for our purpose and It is a
lightweight bash shell script designed to assist in the process of
blocking a denial of service attack. It utilizes the command below to
create a list of IP addresses connected to the server, along with their
total number of connections. It is one of the simplest and easiest to
install solutions at the software level.
# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
IP addresses with over a pre-configured number of connections are automatically blocked in the server's firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)
Notable Features:
It is possible to white-list IP addresses, via /usr/local/ddos/ignore.ip.list.
# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
IP addresses with over a pre-configured number of connections are automatically blocked in the server's firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)
Notable Features:
It is possible to white-list IP addresses, via /usr/local/ddos/ignore.ip.list.
Simple configuration file: /usr/local/ddos/ddos.conf
IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
The script can run at a chosen frequency via the configuration file (default: 1 minute)
You can receive email alerts when IP addresses are blocked.
Installation:
# wget http://www.inetbase.com/ scripts/ddos/install.sh
# chmod 0700 install.sh
# ./install.sh
Uninstallation:
# wget http://www.inetbase.com/ scripts/ddos/uninstall.ddos
# chmod 0700 uninstall.ddos
# ./uninstall.ddos
If you start receiving mails like "Quote:Banned the following ip addresses on xxx xxx time xxx with xxx connections"
A fix is here,
which it requires that you replace the netstat command in the ddos.sh file (located in /usr/local/ddos directory if you installed in the default fashion).
In the original script line 117 reads…
Code:
# netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
this should be rewritten to read as follows…
Code:
# netstat -ntu | grep ‘:’ | awk ‘{print $5}’ | sed ‘s/::ffff://’ | cut -f1 -d ‘:’ | sort | uniq -c | sort -nr > $BAD_IP_LIST
How To Check The Number Of Connected Ips:-
# sh /usr/local/ddos/ddos.sh
How To Edit Configuration File:-
# vi /usr/local/ddos/ddos.conf
How To Restart DDos Deflate:-
# sh /usr/local/ddos/ddos.sh -c
Cheers!!!
IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
The script can run at a chosen frequency via the configuration file (default: 1 minute)
You can receive email alerts when IP addresses are blocked.
Installation:
# wget http://www.inetbase.com/
# chmod 0700 install.sh
# ./install.sh
Uninstallation:
# wget http://www.inetbase.com/
# chmod 0700 uninstall.ddos
# ./uninstall.ddos
If you start receiving mails like "Quote:Banned the following ip addresses on xxx xxx time xxx with xxx connections"
A fix is here,
which it requires that you replace the netstat command in the ddos.sh file (located in /usr/local/ddos directory if you installed in the default fashion).
In the original script line 117 reads…
Code:
# netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
this should be rewritten to read as follows…
Code:
# netstat -ntu | grep ‘:’ | awk ‘{print $5}’ | sed ‘s/::ffff://’ | cut -f1 -d ‘:’ | sort | uniq -c | sort -nr > $BAD_IP_LIST
How To Check The Number Of Connected Ips:-
# sh /usr/local/ddos/ddos.sh
How To Edit Configuration File:-
# vi /usr/local/ddos/ddos.conf
How To Restart DDos Deflate:-
# sh /usr/local/ddos/ddos.sh -c
Cheers!!!
Comments
Post a Comment