The principle is to query the number of netstat connections. if the same IP address exceeds a certain connection, iptables is used to block the connection for a certain period of time, automatic blocking and automatic unblocking are enabled. This blog can be said that even the opening remarks can be saved. the reason for DDoS attacks is not because the Mad Dog is chased and bitten, but because the traffic is full to simplecd after the VC tragedy.
What's more, some dummies are capturing websites, and some dummies are downloading with thunder. the port of Mbps has been running at full capacity for more than a decade. What is this concept? 1000 Mbps full load for one day, the traffic is GB, so it won't take long for me to wait for a ticket with hundreds of knives, tears.
In addition, the speed of Mbps makes the hard drive quickly unable to move, seriously dragging the website's response speed, so I am waiting to die. I thought that when VC got down for a day, the people who got caught on the website were in a state of disability for a week and a half (those guys, including me, sweated ). Simplecd is even more difficult to support.
In fact, this human DDoS attack is more difficult to distinguish and prevent than normal DDoS attacks, but it can only be done by humans. I wrote a python script to prevent DDoS attacks by referring to some articles, add cron for execution every minute.
The principle is to query the number of netstat connections. if the same IP address exceeds a certain connection, iptables is used to block the connection for a certain period of time, automatic blocking and automatic unblocking are enabled.
The code is as follows:
From subprocess import Popen, PIPE
Import re
Import time
Import sqlite3
CONCURRENCY_ALLOWED = 30
OUTDATE_TIME = 86400
# Initializing database
Db = sqlite3.connect ("/tmp/ddos. db3 ")
C = db. cursor ()
Try:
C.exe cute ("create table ddos (ip text unique, date integer );")
Except t:
Print "database exists"
# Blocking ips has more than CONCURRENCY_ALLOWED connections
Pipe = Popen ("netstat-ntu | awk '{print $5}' | cut-d: -f1 | sort | uniq-c | sort-n>/tmp/ddos.txt ", shell = True, bufsize = 1024, stdout = PIPE ). stdout
# Ddos = pipe. read ()
Ddos = open ("/tmp/ddos.txt"). read ()
Ct = re. compile (r "(\ S +) \ s + (\ S +). * \ n"). findall (ddos)
For count, ip in ct:
If int (count)> CONCURRENCY_ALLOWED and (ip! = "127.0.0.1") and (not ip. startswith ("192.168 ")):
Out = Popen ("iptables-I INPUT-s % s-j DROP" % ip, shell = True, bufsize = 1024, stdout = PIPE). stdout
Print "blocking % s for % s visits" % (ip, count)
C.exe cute ('replace into ddos values (?,?) ', (Ip, int (time. time ())))
Time. sleep (0.1)
Db. commit ()
# Unblocking outdated blockings
C.exe cute ("select * from ddos ")
Ddos = c. fetchall ()
For ip, date in ddos:
If date + OUTDATE_TIME <time. time ():
C.exe cute ("delete from ddos where ip =? ", (Ip ,))
Print "unblocking % s" % ip
Out = Popen ("iptables-d input-s % s-j DROP" % ip, shell = True, bufsize = 1024, stdout = PIPE). stdout
Time. sleep (0.1)
Db. commit ()
Currently, the effect of this script is 0, with more than 500 people blocked, but it is still full, it is terrible.
Updated on the 24th:
At the same time, using this script, and transferring the desktop version of the site to a 10 M unlimited place, it seems that the world is too peaceful ?)