Linux Defense DDoS Attack tool (DDoS deflate) configuration using the detailed

DDoS deflate is actually a shell script that uses Netstat and iptables tools to block IP that has too many links, effectively preventing common malicious scanners, but it is not really an effective DDoS defense tool.

Work Process Description:

The same IP link to the number of connections to the server after the setting of the cut value, all over the cut value of the IP will be masked, while the shielding of the IP into the ignore.ip.list file, at the same time will generate a script file in TMP, the script file is executed immediately, but a run on the encounter sleep The preset seconds, when you sleep for so much time, remove the blocked IP, and delete the blocked IP from the ignore.ip.list file before you delete the temporarily generated file.

One fact: If the shielded IP is manually unlocked, then if this IP continues to generate an attack, Then the script will not block it again (because it is added to the ignore.ip.list) until after the preset time to function, adding to the Ignore.ip.list IP is detected when the IP is ignored. IP can be written to this file to avoid these IP blocked, the already blocked IP will also be added to the ignore.ip.list, but blocked the scheduled time will be removed from it.

Installation:

wget http://www.inetbase.com/scripts/ddos/install.sh
Chmod 0700 install.sh
./install.sh

Unloading:

wget Http://www.inetbase.com/scripts/ddos/uninstall.ddos
Chmod 0700 Uninstall.ddos
./uninstall.ddos

After the installation is completed, the ddos.conf, ddos.sh, and/usr/local/ddos are produced in the catalogue. Ignore.ip.list and license These four files, ddos.conf is a configuration file, ddos.sh is a shell file, Ignore.ip.list is a file that ignores IP, license is the copyright notice file, after installation is completed Etc/cron.d/under the production of Ddos.cron files, the contents are as follows:

Shell=/bin/sh
0-59/1 * * * * root/usr/local/ddos/ddos.sh >/dev/null 2>&1

It means to perform a/usr/local/ddos/ddos.sh every minute.

This cron task is dependent on the no_of_connections variable in the ddos.conf file, and if this value is modified, it can be updated by running the following command (which is actually running the following command):

/usr/local/ddos/ddos.sh-c or/usr/local/ddos/ddos.sh–cron

The following are mainly for ddos.conf and ddos.sh analysis:

Ddos.conf content:

##### Paths of the script and other files
Progdir= "/usr/local/ddos"
Prog= "/usr/local/ddos/ddos.sh"
Ignore_ip_list= "/usr/local/ddos/ignore.ip.list"
cron= "/etc/cron.d/ddos.cron"
apf= "/etc/apf/apf"
ipt= "/sbin/iptables"

##### frequency in minutes for running the script
##### caution:every time This setting are changed, run the script with--cron
##### option so the new frequency takes effect
# Set the detection time interval, the default is minutes, because the system uses crontab function, the smallest unit is minutes
Freq=1

##### How many connections define a bad IP? indicate that below.
# no_of_connections Default is 150, this is an experience value, if the server performance is relatively high, you can set more than 200 to avoid manslaughter
no_of_connections=150

##### apf_ban=1 (Make sure your APF version is atleast 0.96)
##### apf_ban=0 (Uses iptables for banning IPs instead of APF)
# Use APF shielding IP, if set to 0 to use iptables, if you use APF, you need to install first, such as the default in CentOS is not installed
Apf_ban=0

##### kill=0 (Bad IPs are ' NT banned, good for interactive execution of script)
##### kill=1 (recommended setting)
Kill=1

##### an email was sent to the following address when a IP is banned.
##### Blank would suppress sending of mails
# If you don't want to send a message, set to NULL
Email_to= ""

##### number of seconds the banned IP should remain in blacklist.
# The time to unlock, in seconds, can be set for a longer time
ban_period=86400
Ddos.sh content:

# Load configuration file
load_conf ()
{
        conf= "/usr/local/ddos/ddos.conf"
 # $CONF is a file, load with source
        if [f "$CONF"] && [! "$CONF" "==    "]; Then
                Source $CONF
        Else
                 Head
                 echo "\ $CONF not found."
                exit 1
         fi
}

# Header Output
Head ()
{
        echo "ddos-deflate version 0.6"
 & nbsp;      echo "Copyright (C), Zaf <zaf@vsnl.com>"
    & nbsp;   Echo
}

# Show help, such as if you want to get rid of IP that is currently over n connections, use sh ddos.sh-k, sh ddos.sh-h to display Help, SH ddos.sh-c create a cron job
showhelp ()
{
& nbsp;       head
        echo ' Usage:ddos.sh [ OPTIONS] [N] '
        Echo ' N:number of tcp/udp     Connections (default) '
        echo ' OPTIONS: '
         Echo '-h | --help:show This help screen '
        echo '-c |--cron:create cron job to run th is script regularly (default                  1 mins) '
        echo '-K |--kill:block the offending IP making more than N connections                '
}

# Remove the blockade of IP

Unbanip ()
{
Unban_script= ' Mktemp/tmp/unban. XXXXXXXX ' # Generate random files, remove IP blockade
Tmp_file= ' Mktemp/tmp/unban. XXXXXXXX ' # temp file
Unban_ip_list= ' Mktemp/tmp/unban. XXXXXXXX ' # will be lifted off the blocked IP
echo ' #!/bin/sh ' > $UNBAN _script # Generates script content that unlocks IP blocking
echo "Sleep $BAN _period" >> $UNBAN _script # $BAN _period sleeping time, which indicates how long $unban_script sleep to continue, this variable is defined in the configuration file
If [$APF _ban-eq 1]; Then # using APF to plug IP
while read line; Todo
echo "$APF-u $line" >> $UNBAN _script
echo $line >> $UNBAN _ip_list
Done < $BANNED _ip_list
Else # use Iptables to block IP
while read line; Todo
echo "$IPT-D input-s $line-j DROP" >> $UNBAN _script # remove IP blockade
echo $line >> $UNBAN _ip_list # writes the IP that will be unblocked to $unban_ip_list, corresponding to the current $banned_ip_list.
Done < $BANNED _ip_list # input redirection, row for $line variable, is the current need to plug the IP, the script is running in the process of generating
Fi
echo "Grep-v--file= $UNBAN _ip_list $IGNORE _ip_list > $TMP _file" >> $UNBAN _script # remove $ignore_ip_list from $unban_i P_list, write the results to $tmp_file
echo "MV $TMP _file $IGNORE _ip_list" >> $UNBAN _script # moves $tmp_file to $ignore_ip_list, $IGNORE _ip_list is defined in the configuration file. Then this operation is overwritten
echo "Rm-f $UNBAN _script" >> $UNBAN _script # Delete $unban_script
echo "Rm-f $UNBAN _ip_list" >> $UNBAN _script # Delete $unban_ip_list
echo "Rm-f $TMP _file" >> $UNBAN _script # Delete $tmp_file, after the move operation, $TMP _file actually no longer exists
. $UNBAN _script & # Running in the background $unban_script
}

# Add to Scheduled task
Add_to_cron ()
{
Rm-f $CRON # Delete/etc/cron.d/ddos.cron
Sleep 1
Service Crond Restart # scheduled Task restart
Sleep 1
echo "Shell=/bin/sh" > $CRON # Create a scheduled task
If [$FREQ-le 2]; Then # $FREQ defined in the configuration file, indicating how many minutes to execute, if less than 2,linux min is per minute
# The following statement gets the 0-59/1 * * * * * * root/usr/local/ddos/ddos.sh >/dev/null 2>&1, which executes ddos.sh per minute with root, discarding the output
echo "0-59/$FREQ * * * * root/usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
else # greater than 1-minute setting
Let "Start_minute = $RANDOM% ($FREQ-1)" # $RANDOM is the environment variable random number let is the shell built-in command, is to perform the calculation
Let "Start_minute = $START _minute + 1"
Let "End_minute = 60-$FREQ + $START _minute"
echo "$START _minute-$END _minute/$FREQ * * * * root/usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
Fi
Service Crond Restart
}

# Load Configuration

Load_conf

# to Judge $, is the first parameter that provides help, and does not enter the loop if it is not provided
while [$]; Todo
Case is in
'-H ' | '--help ' | '?' )
showhelp # Show Help
Exit
;;
'--cron ' | '-C ')
Add_to_cron # Add to Scheduled Tasks
Exit
;;
'--kill ' | ' K ')
Kill=1 # Kill is specified in the configuration file to specify whether to block IP
;;
*[0-9]*)
NO_OF_CONNECTIONS=$1 # second parameter, specify threshold, no_of_connections specified in configuration file, here Overlay
;;
* )
showhelp
Exit
;;
Esac
Shift # To reduce the variable, which is now $ $2,shift can be specified to reduce a few
Done

tmp_prefix= '/tmp/ddos '
tmp_file= "Mktemp $TMP _prefix. XXXXXXXX "
Banned_ip_mail= ' $TMP _file ' # Generate temporary files, send mail, email content
banned_ip_list= ' $TMP _file ' # generates temporary files, storing already blocked IPs
echo "banned the following IP addresses on ' date '" > $BANNED _ip_mail Build message content
echo >> $BANNED _ip_mail
bad_ip_list= ' $TMP _file ' # generates temporary files, storing IP that may be blocked at the moment
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-nr > $BAD _ip_list
Cat $BAD _ip_list # output This list
If [$KILL-eq 1]; Then # if configured to require blockage
Ip_ban_now=0
while read line; Todo
curr_line_conn=$ (echo $line | cut-d "-F1) # How many connections are currently in this IP
curr_line_ip=$ (echo $line | cut-d "-f2) # current IP
If [$CURR _line_conn-lt $NO _of_connections]; Then # if this IP link number is less than preset, terminate (because the data is sorted)
Break
Fi
Ignore_ban= ' grep-c $CURR _line_ip $IGNORE _ip_list ' # calculates how many times the current IP appears in $ignore_ip_list
If [$IGNORE _ban-ge 1]; Then # if the current IP is already in $ignore_ip_list, skip, you can set this way to never block certain IP
Continue
Fi
Ip_ban_now=1 # Enter here to indicate that there must be a current IP to be blocked
echo "$CURR _line_ip with $CURR _line_conn connections" >> $BANNE _ip_mail # Plugging information is written to the content of the message
echo $CURR _line_ip >> $BANNED _ip_list # Add blocked IP to the current block list, $BANNED _ip_list will apply to the following Unbanip function
echo $CURR _line_ip >> $IGNORE _ip_list # Add blocked IP to $ignore_ip_list
If [$APF _ban-eq 1]; Then
$APF-D $CURR _line_ip
Else
$IPT-I input-s $CURR _line_ip-j DROP # start iptables blockade
Fi
Done < $BAD _ip_list
If [$IP _ban_now-eq 1]; Then # $IP _ban_now equals 1 means the IP is blocked.
dt= ' Date '
If [$EMAIL _to!= "]; Then # $EMAIL _to setting is not empty then send the message, leave the message blank
Cat $BANNED _ip_mail | Mail-s "IP addresses banned on $dt" $EMAIL _to # $EMAIL _to specified in the configuration file
Fi
Unbanip # at the same time start to run the unblock program
Fi
Fi
Rm-f $TMP _prefix.* # Purge temporarily generated files

You can see if there is a blocked IP, will call mail to send mail, but as a front-end agent, depending on the need to deliberately install sendmail, so we can use curl to push data to remote, by another dedicated server to send this information, modified as follows:

If [$EMAIL _to!= "]; Then
Cat $BANNED _ip_mail | Mail-s "IP addresses banned on $dt" $EMAIL _to
Else
Curl--data "D=ip addresses banned on $DT-$ (cat $BANNED _ip_mail)" http://domain.com/blockip.php ">>/dev/null
Fi
In addition to this, although the default to 150 is blocked, but you may want to have more than 100 linked IP records, you can add the following code after cat $BAD _ip_list:
NUM_CONNECTIONS=100 # More than 100 on record
# Store by date
Cnts_log= "/usr/local/ddos/$ (date +%y)/$ (date +%m)/"
Mkdir-p $CNTS _log
Cnts_log= "$CNTS _log$ (Date +%y%m%d). LOG"
while read line; Todo
curr_conn=$ (echo $line | cut-d ""-F1)
curr_ip=$ (echo $line | cut-d ""-F2)
If [$CURR _conn-lt $NUM _connections]; Then
Break
Fi
echo "$CURR _ip with $CURR _conn connections in ' Date '" >> $CNTS _log
Done < $BAD _ip_list

How do I verify that DDoS attacks are being exploited?

Perform:

Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

After execution, the number of connections to each IP on the server is displayed.

Here are the results of my own VPS test:

li88-99:~# Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n
1 114.226.9.132
1 174.129.237.157
1 58.60.118.142
1 Address
1 servers)
2 118.26.131.78
3 123.125.1.202
3 220.248.43.119
4 117.36.231.253
4 119.162.46.124
6 219.140.232.128
8 220.181.61.31
2311 67.215.242.196

A few, more than 10, or dozens of connections per IP are fairly normal, and if it's like hundreds of thousands of them, it's not going to work.