DDoS deflate: automatically blocks DDoS attack IP addresses

Preface

As in the real world, the Internet is full of intrigue. Website DDoS attacks have become the biggest headache for webmasters. In the absence of hardware protection, finding a software alternative is the most direct method. For example, iptables is used, but iptables cannot be automatically blocked and can only be manually shielded. Today we are talking about a software that can automatically block the IP address of DDoS attackers: DDoS deflate.

Introduction to DDoS deflate

DDoS deflate is a free script for defending against and mitigating DDoS attacks. It uses netstat to monitor and track the IP addresses that create a large number of network connections. When detecting that a node exceeds the preset limitProgramThese IP addresses are prohibited or blocked through the filters or iptables.

DDoS deflate Official Website: http://deflate.medialayer.com/

How can I determine whether a DDoS attack is triggered?

Run:

Netstat-NTU awk '{print $5}' Cut-D:-F1 sort uniq-C sort-n

After the command is executed, the number of connections from each IP address on the server is displayed.

The following are the results of my own VPs test:

Li88-99 :~ # Netstat-NTU awk '{print $5}' Cut-D:-F1 sort uniq-C sort-n
1 114.226.9.132
1 174.129.237.157
1 58.60.118.142
1 Address
1 servers)
2 118.26.131.78
3 123.125.1.202
3 220.248.43.119
4 117.36.231.253
4 119.162.46.124
6 219.140.232.128
8 220.181.61.31
2311 67.215.242.196

The number of connections per IP address, IP address, or IP address is normal. If the number of connections is hundreds of thousands, it is not normal.

1. Install DDoS deflate

Wget http://www.inetbase.com/scripts/ddos/install.sh // download DDoS deflate
Chmod 0700 install. Sh // Add Permissions
./Install. Sh // Execute

2. Configure DDoS deflate

The default configuration of DDoS deflate is in/usr/local/DDOS/DDoS. conf. The content is as follows:

##### Paths of the script and other files
Progdir = "/usr/local/DDOS"
Prog = "/usr/local/DDOS/DDoS. Sh"
Ignore_ip_list = "/usr/local/DDOS/ignore. IP. List" // ip address whitelist
Cron = "/etc/cron. d/DDoS. cron" // scheduled execution Program
<G id = "1"> </etc/</G>"
EPT = "/sbin/iptables"

##### Frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with -- Cron
##### Option so that the new frequency takes effect
Freq = 1 // check interval. The default value is 1 minute.

##### How many connections define a bad Ip? Indicate that below.
No_of_connections = 150 // The maximum number of connections. IP addresses exceeding this value will be blocked. Generally, the default value is enough.

##### Apf_ban = 1 (make sure your APL version is atleast 0.96)
##### Apf_ban = 0 (uses iptables for banning IPS instead of APT)
Apf_ban = 1 // whether to use the apt filter or iptables. iptables is recommended.

##### Kill = 0 (Bad IPs are 'nt banned, good for interactive execution of script)
##### Kill = 1 (recommended setting)
Kill = 1 // whether the IP address is blocked. The default value is enough.

##### An email is sent to the following address when an IP is banned.
##### Blank wocould suppress sending of mails
Email_to = "root" // when the IP address is blocked, send an email to the specified email address. We recommend that you use it in your own email address.

##### Number of seconds the banned IP shoshould remain in blacklist.
Ban_period = 600 // ip address disabling time. The default value is 600 seconds. It can be adjusted as needed.

You can modify the configuration file according to the remarks on the default configuration file.

If you like it, you can use web stress testing software to test the effect. I believe that DDoS deflate can still defend your VPS or server against some DDoS attacks and provide more protection for your website.