Objective
The internet is as full of rivalry as the real world, and the site has become the most headache for webmasters. In the absence of hard defense, looking for software replacement is the most direct method, such as with iptables, but iptables can not be automatically shielded, can only be manually shielded. What we're going to talk about today is a software that automatically shields DDoS attackers ' IPs: DDoS deflate.
Introduction to DDoS Deflate
DDoS deflate is a free script to defend against and mitigate DDoS attacks. It uses netstat monitoring to track the creation of IP addresses for a large number of network connections, which are banned or blocked by APF or iptables when a node is detected that exceeds a preset limit.
DDoS Deflate official website: http://deflate.medialayer.com/
How can I confirm that I am under a DDoS attack?
Perform:
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n
Once executed, the number of connections per IP on the server will be displayed.
Here are the results of my own VPS test:
li88-99:~# Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n1 114.226.9.1321 174.129.237.1571 58.60.118.1421 Address1 servers) 2 118.26.131.783 123.125.1.2023 220.248.43.1194 117.36.231.2534 119.162.46.1246 219.140.232.1288 220.181.61.31 VPS Detective http://www.vpser.net/ 2311 67.215.242.196
A few, more than 10, or dozens of connections per IP are still relatively normal, if like hundreds of thousands of certain is not normal.
1. Installing DDoS deflate
wget http://www.inetbase.com/scripts/ddos/install.sh //download DDoS deflatechmod 0700 install.sh //Add permissions. install.sh //execution
2. Configuring DDoS Deflate
The following is the default configuration of the DDoS deflate in/usr/local/ddos/ddos.conf, which reads as follows:
##### Paths of the script and other filesprogdir= "/usr/local/ddos" prog= "/usr/local/ddos/ddos.sh" ignore_ip_list= "/usr/ Local/ddos/ignore.ip.list "//IP address white list cron="/etc/cron.d/ddos.cron "//Timed Execution Program apf="/ETC/APF/APF "ipt="/sbin/iptables "# # # # Frequency in minutes for running the script##### caution:every time this setting was changed, run the script with--c ron##### option So, the new frequency takes effectfreq=1//check Time interval, default 1 minutes ##### How many connections define a bad IP? Indicate that below.no_of_connections=150//maximum number of connections, more than this number of IP will be blocked, the general default can be ##### apf_ban=1 (make sure your APF version are at least 0.96) ##### apf_ban=0 (Uses iptables for banning IPs instead of APF) Apf_ban=1//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0. ##### kill=0 (Bad IPs is ' NT banned, good for interactive execution of script) ##### kill=1 (Recommended setting) kill=1/ /whether to block IP, the default can be ##### an e-mail is sent to the following address when a IP is banned.##### BlAnk would suppress sending of mailsemail_to= "root"//when IP is blocked send mail to the designated mailbox, recommended to use, change to their own mailbox ##### number of seconds the banned I P should remain in blacklist. ban_period=600//Disable IP time, default 600 seconds, can be adjusted according to the situation
Users can modify the configuration file according to the comment prompt content that is added to the default profile.
View line 117th of the/usr/local/ddos/ddos.sh file
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-nr > $BAD _ip_list
Modify it to the following code!
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sed-n '/[0-9]/p ' | Sort | uniq-c | Sort-nr > $BAD _ip_list
Like to toss with the web stress test software can test the results, believe that DDoS deflate can also give your VPS or server to defend against a part of the DDoS attacks, to your site more protection.
DDoS protection/mitigation DDoS attacks Deflate-linux