Defend against/mitigate DDOS attacks in Linux

 

As in the real world, the Internet is full of intrigue. Website DDOS attacks have become the biggest headache for webmasters. In the absence of hardware protection, finding a software alternative is the most direct method. For example, iptables is used, but iptables cannot be automatically blocked and can only be manually shielded. Today we are talking about a software that can automatically block the IP address of DDOS attackers: DDoS deflate.

 

Introduction to DDoS deflate

DDoS deflate is a free script for defending against and mitigating DDoS attacks. It uses netstat to monitor and track the creation of a large number of IP addresses connected to the network. When detecting that a node exceeds the preset limit, the program will disable or block these IP addresses through the filters or IPTABLES.

DDoS deflate Official Website: http://deflate.medialayer.com/

 

How can I determine whether a DDOS attack is triggered?

Run:

Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n

After the command is executed, the number of connections from each IP address on the server is displayed.

 

 

1 113.132.228.195

1 70.33.184.37

1 87.250.253.243

1 Address

1 servers)

4 125.72.229.142

The number of connections per IP address, IP address, or IP address is normal. If the number of connections is hundreds of thousands, it is not normal.

 

1. Install DDoS deflate

Wget http://www.inetbase.com/scripts/ddos/install.sh // download DDoS deflate

Chmod 0700 install. sh // Add Permissions

./Install. sh // Execute

 

2. Configure DDoS deflate

The following figure shows the default DDoS deflate configuration in/usr/local/ddos. conf.

 

The content is as follows:

##### Paths of the script and other files

PROGDIR = "/usr/local/ddos"

PROG = "/usr/local/ddos. sh"

IGNORE_IP_LIST = "/usr/local/ddos/ignore. ip. list" // ip address whitelist

CRON = "/etc/cron. d/ddos. cron" // scheduled execution Program

<G id = "1"> </etc/</G>"

EPT = "/sbin/iptables"

 

##### Frequency in minutes for running the script

##### Caution: Every time this setting is changed, run the script with-cron

##### Option so that the new frequency takes effect

FREQ = 1 // check interval. The default value is 1 minute.

 

##### How many connections define a bad IP? Indicate that below.

NO_OF_CONNECTIONS = 150 // The maximum number of connections. IP addresses exceeding this value will be blocked. Generally, the default value is enough.

 

##### APF_BAN = 1 (Make sure your APL version is atleast 0.96)

##### APF_BAN = 0 (Uses iptables for banning ips instead of APT)

APF_BAN = 1 // whether to use the public IP address whitelist or iptables. We recommend that you use iptables to change the value of APF_BAN to 0.

 

##### KILL = 0 (Bad IPs are 'nt banned, good for interactive execution of script)

##### KILL = 1 (Recommended setting)

KILL = 1 // whether the IP address is blocked. The default value is enough.

 

##### An email is sent to the following address when an IP is banned.

##### Blank wocould suppress sending of mails

EMAIL_TO = "root" // when the IP address is blocked, send an email to the specified email address. We recommend that you use it in your own email address.

 

##### Number of seconds the banned ip shoshould remain in blacklist.

BAN_PERIOD = 600 // time when IP addresses are disabled. The default value is 600 seconds. You can modify the configuration file according to the remarks in the default configuration file.

 

If you like it, you can use Web stress testing software to test the effect. I believe that DDoS deflate can still defend your VPS or server against some DDOS attacks and provide more protection for your website.

 

From yufei blog™