How to defend against or mitigate DDOS attacks in Linux

This morning, the server was under ddos attack. Fortunately, the other party only used a computer without thousands of Trojans. Otherwise, the server would crash. I found a tutorial on the Internet and solved it successfully. So I recorded the anti-ddos method.

View Attack IP

First, use the following code to find the attacker's IP address.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

The following results are obtained:

1 114.226.9.132
1 174.129.237.157
1 58.60.118.142
1 Address
1 servers)
2 118.26.131.78
3 123.125.1.202
3 220.248.43.119
4 117.36.231.253
4 119.162.46.124
6 219.140.232.128
8 220.181.61.31
2311 67.215.242.196

The preceding number indicates the number of IP connections. It can be seen that the last IP address 67.215.242.196 connects to the server for 2311 times. The number of connections per IP address, dozens or dozens is normal, if there are hundreds of thousands above, it is not normal.

Solution: Use DDoS deflate + iptables

DDoS deflate is a free script for defending against and mitigating DDoS attacks. It uses netstat to monitor and track IP addresses that create a large number of network connections. When detecting that a node has exceeded the preset limit, the program will disable or block these IP addresses through the filters or IPTABLES.

Install DDoS deflate
Wget http://www.inetbase.com/scripts/ddos/install.sh // download DDoS deflate
Chmod 0700 install. sh // Add Permissions
./Install. sh // Execute

Configure DDoS deflate

The default configuration of DDoS deflate is in/usr/local/ddos. conf. The default configuration is as follows:

##### Paths of the script and other files
PROGDIR = "/usr/local/ddos"
PROG = "/usr/local/ddos. sh"
IGNORE_IP_LIST = "/usr/local/ddos/ignore. ip. list" // ip address whitelist
CRON = "/etc/cron. d/ddos. cron" // scheduled execution Program
<G id = "1"> </etc/</G>"
EPT = "/sbin/iptables"

##### Frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with -- cron
##### Option so that the new frequency takes effect
FREQ = 1 // check interval. The default value is 1 minute.

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS = 150 // The maximum number of connections. IP addresses exceeding this value will be blocked. Generally, the default value is enough.

##### APF_BAN = 1 (Make sure your APL version is atleast 0.96)
##### APF_BAN = 0 (Uses iptables for banning ips instead of APT)
APF_BAN = 1 // whether to use the public IP address whitelist or iptables. We recommend that you use iptables to change the value of APF_BAN to 0.

##### KILL = 0 (Bad IPs are 'nt banned, good for interactive execution of script)
##### KILL = 1 (Recommended setting)
KILL = 1 // whether the IP address is blocked. The default value is enough.

##### An email is sent to the following address when an IP is banned.
##### Blank wocould suppress sending of mails
EMAIL_TO = "root" // when the IP address is blocked, send an email to the specified email address. We recommend that you use it in your own email address.

##### Number of seconds the banned ip shoshould remain in blacklist.
BAN_PERIOD = 600 // IP address disabling time. The default value is 600 seconds. It can be adjusted as needed.

You can modify the configuration file according to the remarks on the default configuration file.

View the 117th rows of the/usr/local/ddos. sh File

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

Modify it to the following code!

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sed -n ‘/[0-9]/p’ | sort | uniq -c | sort -nr > $BAD_IP_LIST

Iptables Firewall

Iptables is a common firewall software in Linux, the following describes how to install and clear iptables rules. iptables only opens the specified port, and iptables shields specified ip addresses, ip segments, unblocking, and deleting added iptables rules. basic Application.

Install iptables Firewall

If iptables is not installed, install it first, and run CentOS:

yum install iptables

Clear existing iptables rules

iptables -F
iptables -X
iptables -Z

Open the specified port

# Allow the local loopback interface (that is, running the local machine to access the local machine)
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# Allow established or related connections
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
# Allow external access from all hosts
Iptables-a output-j ACCEPT
# Allow access to port 22
Iptables-a input-p tcp -- dport 22-j ACCEPT
# Allow access to port 80
Iptables-a input-p tcp -- dport 80-j ACCEPT
# Allow port 21 and Port 20 of the FTP service
Iptables-a input-p tcp -- dport 21-j ACCEPT
Iptables-a input-p tcp -- dport 20-j ACCEPT
# If there are other ports, the rule is similar. Just modify the preceding statement slightly.
# Prohibit access by other unpermitted rules
Iptables-a input-j REJECT (Note: if port 22 is not added with the permit rule, the SSH link will be disconnected directly .)
Iptables-a forward-j REJECT

Blocked IP Address

# If you only want to block the IP address, you can skip "3. Open the specified port.
# The command to shield a single IP address is
Iptables-I INPUT-s 123.45.6.7-j DROP
# The command for sealing the entire segment from 123.0.0.1 to 123.20.255.254
Iptables-I INPUT-s 123.0.0.0/8-j DROP
# An IP address segment is a command from 123.45.0.1 to 123.45.255.254.
Iptables-I INPUT-s 124.45.0.0/16-j DROP
# The command from 123.45.6.1 to 123.45.6.254 is
Iptables-I INPUT-s 123.45.6.0/24-j DROP

View added iptables rules

Iptables-L-n
V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: Disable Automatic unit conversion (K, M) based on v)
N: only the ip address and port number are displayed, and the ip address is not resolved as a domain name.

Delete an added iptables rule

Display All iptables with serial numbers. Run the following command:

iptables -L -n --line-numbers

For example, to delete the rule with serial number 8 in INPUT, execute:

iptables -D INPUT 8

Start iptables and save rules

After iptables is installed on CentOS, iptables does not start automatically after it is started. You can execute the following command:

chkconfig --level 345 iptables on

Add it to startup.

On CentOS, you can run the: service iptables save rule.

In addition, iptables On Debian/Ubuntu does not save rules.

To disable the NIC, follow these steps: Save iptables rules and load iptables rules at startup:

Create the/etc/network/if-post-down.d/iptables file and add the following:

#!/bin/bash
iptables-save > /etc/iptables.rules

Run: chmod + x/etc/network/if-post-down.d/iptables to add execution permissions.

Create the/etc/network/if-pre-up.d/iptables file and add the following:

#!/bin/bash
iptables-restore < /etc/iptables.rules

Run: chmod + x/etc/network/if-pre-up.d/iptables to add execution permissions.

For more instructions on iptables, run iptables -- help or search for iptables parameters online.