Anti-DDoS scripts implemented by Python

This bo can be said even the opening line can be omitted, the reason is DDoS, not because of the mad dog was chased to bite, but because of the VC tragedy after the flow of all to SIMPLECD came.
Not only that, some idiots are grasping the station, some idiots are downloading with thunder, 100Mbps Port actually already full load operation more than 10 hours, what is this concept? 100Mbps full load 1 days, traffic is 1000G, so it won't be long, I can wait for hundreds of knives on the ticket, tears.
In addition, the speed of the 100Mbps makes the hard drive is not moving, seriously drag the response speed of the site, card I want to die ah really. When the VC hung up for a day, the guys who got caught were getting a half-crippled state (among those guys including me, Khan). SIMPLECD will not be able to support the more.
In fact, this kind of human-based DDoS is more difficult to distinguish and prevent than normal DDoS, but also can only do the personnel, listen to the destiny, refer to some articles wrote a Python anti-DDoS script, join Cron every minute to execute.
The implementation principle is that the query netstat connection number, with IP over a certain connection with the Iptables block for a certain time, automatic blocking, automatic unblocking.

The code is as follows:

From subprocess Import Popen,pipe
Import re
Import time
Import Sqlite3
concurrency_allowed = 30
Outdate_time = 86400
# Initializing Database
db = Sqlite3.connect ("/tmp/ddos.db3")
c = Db.cursor ()
Try
C.execute ("CREATE table DDoS (IP text unique,date integer);")
Except
Print "Database Exists"
# blocking IPs have more than concurrency_allowed connections
Pipe = Popen ("Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n >/tmp/ddos.txt ", shell=true,bufsize=1024,stdout=pipe). StdOut
#ddos = Pipe.read ()
DDoS = open ("/tmp/ddos.txt"). Read ()
ct = Re.compile (r "(\s+) \s+ (\s+). *\n"). FindAll (DDoS)
For COUNT,IP in CT:
if int (count) >concurrency_allowed and (IP! = "127.0.0.1") and (Not Ip.startswith ("192.168")):
out = Popen ("iptables-i input-s%s-j DROP"%ip,shell=true,bufsize=1024,stdout=pipe). StdOut
Print "Blocking%s for%s visits"% (Ip,count)
C.execute (' Replace into DDoS values (?,?) ', (Ip,int (Time.time ())))
Time.sleep (0.1)
Db.commit ()
# unblocking outdated blockings
C.execute ("SELECT * from DDoS")
DDoS = C.fetchall ()
For Ip,date in DDoS:
If date + Outdate_time < Time.time ():
C.execute ("Delete from DDoS where ip=?", (IP,))
Print "Unblocking%s"% IP
out = Popen ("iptables-d input-s%s-j DROP"%ip,shell=true,bufsize=1024,stdout=pipe). StdOut
Time.sleep (0.1)
Db.commit ()

At present, the effect of this script is 0, sealed 500 supposedly people, but still full speed, really scary.
24th Update:
At the same time with this script, plus transfer desktop version of the site to a 10M unlimited place, it seems to be all right (?). ）

