This blog can be said that even the prologue can be omitted, the reason is DDoS, not because of the mad dog was chasing bite, but because of the VC after the tragedy of the flow to SIMPLECD.
Not only that, some fools are grasping the station, some fools are downloading with the Thunder, the 100Mbps port actually has already been operating at full load for more than 10 hours, what is this concept? 100Mbps full load 1 days, the flow is 1000G, so not long, I can wait for hundreds of knives of the ticket, tears soar.
In addition, the speed of 100Mbps makes the hard drive fast, seriously drag the response speed of the site, card I want to die ah is really. When VC hung up one day, the guys who got caught stood up for a week and a half crippled state (where those guys included me, Khan). SIMPLECD can not be more support.
In fact, this human-like DDoS is more difficult to distinguish and prevent than normal DDoS, but also can only do personnel, listen to destiny, refer to some articles to write a python to prevent DDoS script, join Cron every minute to execute.
The principle is, query netstat connection number, with IP over a certain connection with iptables ban a certain time, automatic ban, automatic seal.
Copy Code code as follows:
From subprocess Import Popen,pipe
Import re
Import time
Import Sqlite3
concurrency_allowed = 30
Outdate_time = 86400
# Initializing Database
db = Sqlite3.connect ("/tmp/ddos.db3")
c = Db.cursor ()
Try
C.execute ("CREATE table DDoS (IP text unique,date integer);")
Except
Print "Database Exists"
# blocking IPs has more than concurrency_allowed connections
Pipe = Popen ("Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n >/tmp/ddos.txt ", shell=true,bufsize=1024,stdout=pipe). StdOut
#ddos = Pipe.read ()
DDoS = open ("/tmp/ddos.txt"). Read ()
ct = Re.compile (r "(\s+) \s+ (\s+). *\n"). FindAll (DDoS)
For COUNT,IP in CT:
if int (count) >concurrency_allowed and (IP!= "127.0.0.1") and (Not Ip.startswith ("192.168")):
out = Popen ("iptables-i input-s%s-j DROP"%ip,shell=true,bufsize=1024,stdout=pipe). StdOut
Print "Blocking%s for%s visits"% (Ip,count)
C.execute (' Replace into DDoS values (?,?) ', (Ip,int (Time.time ()))
Time.sleep (0.1)
Db.commit ()
# unblocking outdated blockings
C.execute ("SELECT * from DDoS")
DDoS = C.fetchall ()
For Ip,date in DDoS:
If date + Outdate_time < Time.time ():
C.execute ("Delete from DDoS where ip=?", (IP,))
print ' unblocking%s '% IP
out = Popen ("iptables-d input-s%s-j DROP"%ip,shell=true,bufsize=1024,stdout=pipe). StdOut
Time.sleep (0.1)
Db.commit ()
At present, the effect of this script is 0, sealed 500 supposedly people, but still full speed, it is terrible.
24th Update:
At the same time, with this script, plus the transfer of desktop version of the site to a 10M unlimited place, seems to be the peace of the day (?) )