DDoS deflate, ddosdeflate
Preface
As in the real world, the Internet is full of intrigue. Website DDOS attacks have become the biggest headache for webmasters. In the absence of hardware protection, finding a software alternative is the most direct method. For example, iptables is used, but iptables cannot be automatically blocked and can only be manually shielded. Today we are talking about a software that can automatically block the IP address of DDOS attackers: DDoS deflate.
Introduction to DDoS deflate
DDoS deflate is a free script for defending against and mitigating DDoS attacks. It uses netstat to monitor and track the creation of a large number of IP addresses connected to the network. When detecting that a node exceeds the preset limit, the program will disable or block these IP addresses through the filters or IPTABLES.
DDoS deflate Official Website: http://deflate.medialayer.com/
How can I determine whether a DDOS attack is triggered?
Run:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
After the command is executed, the number of connections from each IP address on the server is displayed.
The following are the results of my own VPS test:
Li88-99 :~ # Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n1 114.226.9.1321 174.129.237.1571 58.60.118.1421 Address1 servers) 2 118.26.131.783 123.125.1.2023 220.248.43.1194 117.36.231.2534 119.162.46.1246 219.140.232.1288 220.181.61.31 VPS detective http://www.vpser.net/2311 67.215.242.196
The number of connections per IP address, IP address, or IP address is normal. If the number of connections is hundreds of thousands, it is not normal.
1. Install DDoS deflate
Wget http://www.inetbase.com/scripts/ddos/install.sh // download DDoS deflatechmod 0700 install. sh // Add permission./install. sh // Execute
2. Configure DDoS deflate
The default configuration of DDoS deflate is in/usr/local/ddos. conf. The content is as follows:
##### Paths of the script and other filesPROGDIR = "/usr/local/ddos" PROG = "/usr/local/ddos. sh "IGNORE_IP_LIST ="/usr/local/ddos/ignore. ip. list "// ip address whitelist CRON ="/etc/cron. d/ddos. cron "// timing execution Program <G id =" 1 "> <G id =" 2 "> <G id =" 2 "> </G> #### frequency in minutes for running the script ### # Caution: every time this setting is changed, run the script with -- cron #### option so that the new frequency takes ef FectFREQ = 1 // check interval. The default value is 1 minute ##### How many connections define a bad IP? Indicate that below. NO_OF_CONNECTIONS = 150 // The maximum number of connections. If this number is exceeded, the IP address will be blocked. Generally, the default value is #### APF_BAN = 1 (Make sure your ope version is atleast 0.96) ##### APF_BAN = 0 (Uses iptables for banning ips instead of APT) APF_BAN = 1 // whether to use apt or iptables. We recommend that you use iptables to change the value of APF_BAN to 0. ##### KILL = 0 (Bad IPs are 'nt banned, good for interactive execution of script) #### KILL = 1 (Recommended setting) KILL = 1 // whether the IP address is blocked. the default value is #### An email is sent to the following address when an IP is banned. ##### Blank wocould suppress sending of mailsEMAIL_TO = "root" // when the IP address is blocked, it is recommended to send emails to the specified email address, replace it with your own mailbox #### Number of seconds the banned ip shoshould remain in blacklist. BAN_PERIOD = 600 // IP address disabling time. The default value is 600 seconds. It can be adjusted as needed.
You can modify the configuration file according to the remarks on the default configuration file.
View the 117th rows of the/usr/local/ddos. sh File
Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-nr> $ BAD_IP_LIST
Modify it to the following code!
Netstat-ntu | awk '{print $5}' | cut-d: -f1 | sed-n'/[0-9]/P' | sort | uniq-c | sort-nr> $ BAD_IP_LIST
If you like it, you can use Web stress testing software to test the effect. I believe that DDoS deflate can still defend your VPS or server against some DDOS attacks and provide more protection for your website.
How does DDoS deflate shield the IP address of a DDOS attacker?
DDoS deflate is a script used to defend against and mitigate DDoS attacks. It uses netstat to monitor and track the creation of a large number of IP addresses connected to the network. When detecting that a node exceeds the preset limit, the program will disable or block these IP addresses through the filters or IPTABLES.
In the IP address whitelist of DDoS deflate, why is the attacker's IP added?
That is to say, if your PC needs to access the Internet through a router or go to different network segments, you must configure the IP address of the PC and the IP address configured for the port connected to the router in the same network segment, otherwise, you cannot access the Internet or cross-network communication.