This software can effectively defend against DDOS attacks such as cc and syn semi-connections. In fact, it does not have the Interception Capability. It is based on the IPtables firewall and uses netstat + filtering rules to implement linkage with the IPtables firewall. When a malicious connection (such as syn flood) attacks a port specified by the server, the software analyzes the attempt of the Connection source in real time. When the connected IP Address has multiple concurrent malicious connections, the software automatically adds it to the iptables firewall entry for interception. At the same time, the attack IP address is recorded in the planned unblocking file. When the specified time is reached, the software will automatically unseal the corresponding IP address from the IPtables firewall.
This software took a week to finish writing. During the basic test, the performance was acceptable. However, the possibility of a BUG is not ruled out. It has obvious effects in coping with single-IP concurrent connection attacks and single-IP syn flood. Therefore, it is not suitable for malicious attacks of random IP addresses.
System Structure
Installation and use:
The software installation method is very simple, download the software decompress (tar zxvf DDos_firewall-v1.0.0.tar.gz), enter the main directory, find autosetup. sh, run automatic installation can be!
Running environment:
Centos 32bit or 64bit, redhat 32bit or 64bit, fedora 32bit or 64bit, which is not tested in other linux systems.
Startup method:
Dd_start {start | stop | restart | status}
Running status/IP Blocking
Configuration instance:
######################################## #####
### FileName: ddos_drop.conf
### Auth: Sunshine Gu
### Http://blog.hit008.com
### Ddos_acl and flush_drop config file.
######################################## #####
[Main setting]
### Main directory
Filepath =/usr/local/ddos_drop
### Pid file
Ddos_acl_pidfile =/usr/local/ddos_drop/logs/ddos_acl.pid
Flush_drop_pidfile =/usr/local/ddos_drop/logs/flush_drop.pid
### Temporary blacklist
Grep_list =/usr/local/ddos_drop/logs/drop_ip.dat
### Plans to remove (blacklist)
Crond_list =/usr/local/ddos_drop/logs/crond_list.dat
### Temporary file, used to clean blacklist queue in crond_list.
Temp_list =/usr/local/ddos_drop/logs/temp_list ~
### White list
Else_list = 192.168.14.15 | 127.0.0.1 | 0.0.0.0
### Monitor port
Grep_port = 80 | 8080 | 443
### Executive frequency (s)
Exec_time = 10
### Lock time, used to lock blacklist in grep_list,
### Over this time, iptables will automatically delete. (s)
Acl_cls = 3600
Shell Source Code Open Source
1. Main daemon, ddos_acl.sh
#! /Bin/sh
########################################
### FileName: ddos_acl.sh
### Auth: Sunshine GU
### Version: v1.0.0
### Http://blog.hit008.com
########################################
######################################## #### Load a configuration file ################################# #######
### File main directory [filepath]
### PID file [pidfile]
### Temporary blacklist [grep_list]
### Planned to clear the queue [crond_list]
### White list [else_list]
### Monitoring port [grep_port]
### Execution frequency (s) [exec_time]
Conffile = ../conf/ddos_drop.conf
If [-e $ conffile]; then
# Cat $ conffile | awk-v key = "main"-v RS = '\ [[^ \ n] *]' v = "[" key "]"; {v = RT} '| sed's // G' | sed-R'/^ *#. */d; s /*#. *//'
Filepath = 'grep' filepath = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Ddos_acl_pidfile = 'grep' ddos _ acl_pidfile = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Flush_drop_pidfile = 'grep' flush _ drop_pidfile = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Grep_list = 'grep' grep _ list = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Crond_list = 'grep' crond _ list = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Temp_list = 'grep' temp _ list = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Else_list = 'grep' else _ list = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Grep_port = 'grep' grep _ port = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Exec_time = 'grep' exec _ time = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Acl_cls = 'grep' acl _ cls = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Else
Echo "Can't find the configuration file! "
Exit 1
Fi
######################################## ######################################## ################
### Clear the old illegal IP Address
If [-d $ filepath/logs]; then
If [-f $ grep_list]; then
Rm-f $ grep_list
Fi
Else
Mkdir $ filepath/logs
Fi
### Shielding IP addresses based on connection status
Echo "$"> $ ddos_acl_pidfile
While true
Do
# Respond to malicious connections based on the number of connections and record the connection ip Address
/Bin/netstat-ant | grep-E $ grep_port | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-rn | grep-v-E $ else_list | awk '{if ($2! = Null & $1> 100) {print $2} '> $ grep_list
If [-f $ grep_list]; then
# Traverse non-repeated entries
For I in 'cat $ grep_list | uniq-c | awk '{print $2 }''
Do
# Iptables is required to have no duplicate entries
If ['iptables -- list | grep $ I | wc-l'-eq 0]; then
# Record illegal IP address information and disable it
Echo "$ I 'date + % Y/% m/% d' date + % H: % M: % S ''date + % s' LOCK"> $ crond_list
/Sbin/iptables-I input-s $ I-j DROP;
Else
Continue
Fi
Done
Fi
Sleep $ exec_time
Done
2. Plan to unseal the program, flush_drop.sh
#! /Bin/sh
########################################
### FileName: flush_drop.sh
### Auth: Sunshine GU
### Version: v1.0.0
### Http://blog.hit008.com
########################################
######################################## #### Load a configuration file ################################# #######
### File main directory [filepath]
### PID file [pidfile]
### Temporary blacklist [grep_list]
### Planned to clear the queue [crond_list]
### White list [else_list]
### Monitoring port [grep_port]
### Execution frequency (s) [exec_time]
Conffile = ../conf/ddos_drop.conf
If [-e $ conffile]; then
# Cat $ conffile | awk-v key = "main"-v RS = '\ [[^ \ n] *]' v = "[" key "]"; {v = RT} '| sed's // G' | sed-R'/^ *#. */d; s /*#. *//'
Filepath = 'grep' filepath = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Ddos_acl_pidfile = 'grep' ddos _ acl_pidfile = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Flush_drop_pidfile = 'grep' flush _ drop_pidfile = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Grep_list = 'grep' grep _ list = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Crond_list = 'grep' crond _ list = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Temp_list = 'grep' temp _ list = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Else_list = 'grep' else _ list = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Grep_port = 'grep' grep _ port = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Exec_time = 'grep' exec _ time = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Acl_cls = 'grep' acl _ cls = '$ conffile | sed's // G' | sed-R'/^ *#. */d; s /*#. * // '| awk-F =' {print $2 }''
Else
Echo "Can't find the configuration file! "
Exit 1
Fi
######################################## ######################################## ################
Echo "$"> $ flush_drop_pidfile
While true
Do
Sleep $ exec_time
# Obtain the current time
Nowtime = 'date + % s'
# Whether the file exists
If [-e $ crond_list]; then
# Traverse all entries
For I in 'awk' {print $1} '$ crond_list'
Do
# The content is not empty.
If ['cat $ crond_list | wc-l'-ne 0]; then
# Retrieve up to one entry at a time to exclude duplicate entries
Ti = 'grep $ I $ crond_list | awk '{print $4}' | head-1'
B = 'expr $ nowtime-$ ti'
# Determine if the specified time is exceeded
If [$ B-gt $ acl_cls]; then
# Entries in iptables
If ['iptables -- list | grep $ I | wc-l'-ne 0]; then
/Sbin/iptables-d input-s $ I-j DROP
Fi
# Clear the current entry of crond_list
Cp $ crond_list $ temp_list
Sed-e "/$ I/d" $ temp_list> $ crond_list
Rm-f $ temp_list
Fi
Fi
Done
Fi
Done
3. Main Startup Program, dd_start.sh
#! /Bin/sh
######################################## #####
### FileName: autosetup. sh
### Auth: Sunshine Gu
### Version: v1.0.0
### Http://blog.hit008.com
### Bash shell for start DDos_Drop.
######################################## #####
### Main directory
Filepath =/usr/local/ddos_drop
### Program name
DAEMON = $ filepath/bin/ddos_acl
FLUSHIP = $ filepath/bin/flush_drop
### Plans to remove (blacklist)
Crond_list = $ filepath/logs/crond_list.dat
### White list
Else_list = '2017. 0.0.1 | 0.0.0.0'
### Monitor port
Grep_port = '80 | 8080 | 443'
### Pid file
Pidfile1 = $ filepath/logs/ddos_acl.pid
Pidfile2 = $ filepath/logs/flush_drop.pid
Set-e
[-X "$ DAEMON"] | exit 0
Do_start (){
If ['pgrep-F' ddos _ acl' | wc-l'-eq 0]; then
$ DAEMON &
$ FLUSHIP &
Else
Echo-e "ddos_acl already running! "
Exit 1
Fi
}
Do_stop (){
If ['pgrep-F' ddos _ acl' | wc-l'-eq 0]; then
Echo-e "ddos_acl not running! "
Else
Kill-9 'cat $ pidfile1'
Fi
If ['pgrep-F' flush _ drop' | wc-l'-eq 0]; then
Echo-e "flush_drop not running! "
Else
Kill-9 'cat $ pidfile2'
Fi
If ['pgrep-F' flush _ drop' | wc-l'-ne 0] & ['pgrep-F' flush _ acl' | wc-l'-ne 0 ]; then
Kill-9 'cat $ pidfile1'
Kill-9 'cat $ pidfile2'
Rm-rf $ pidfile1 $ pidfile2
Fi
}
Do_restart (){
Do_stop
Do_start
}
Do_status (){
Echo "### --------------------------- drop list -----------------------------###"
Echo "ip y/m/d H: M: S Unix/time Active"
If [-e $ crond_list]; then
Cat $ crond_list
Else
Echo "no information ..."
Fi
Echo "### --------------------------- iptables list --------------------------###"
Echo "target prot opt source destination"
Iptables -- list | grep 'drop' | awk {'printf "%-10 s %-5 s %-4 s %-20 s %-11s \ n", $1, $2, $3, $4, $5 '}
Echo "### --------------------------- netstat status -------------------------###"
Echo "Num Proto Recv-Q Send-Q Local Address Foreign Address State"
Netstat-ant | grep-E $ grep_port | grep-v-E $ else_list | sed's/: // G' | awk '{print $1, $2, $3, $4, $6, $8} '| sort | uniq-c | awk' {printf "%-6 s %-06 s %-07 s %-07 s %-20 s %-20 s %-10s \ n ", $1, $2, $3, $4, $5, $6, $7 }'
Echo "###------------------------------------------------------------------###"
If ['pgrep-F' ddos _ acl' | wc-l'-ne 0]; then
Echo-n ">>> ddos_acl already running! "
Else
Echo-n ">>> ddos_acl not running! "
Fi
If ['pgrep-F' flush _ drop' | wc-l'-ne 0]; then
Echo "flush_drop already running! <"
Else
Echo "flush_drop not running! <"
Fi
}
Case "$1" in
Start)
Echo-e "Starting ddos_acl ..."
Do_start
Echo "Done ."
;;
Stop)
Echo-e "Stopping ddos_acl ..."
Do_stop
Echo "Done ."
;;
Restart)
Echo-e "Restarting ddos_acl ..."
Do_restart
Echo "Done ."
;;
Status)
While true
Do
Clear
Do_status
Sleep 3
Done
;;
*)
Echo $ "Usage: $ prog {start | stop | restart | status }"
Exit 1
Esac
The software must be installed in the specified path (/usr/local/). The installed directories are:
/Usr/local/ddos_drop/bin, which is the execution file directory
/Usr/local/ddos_drop/conf, configuration file directory
/Usr/local/ddos_drop/logs, record the file directory
The downloaded C files must be compiled by gcc. Start autosetup. sh to complete gcc compilation and installation!
Software: DDos Firewall-v1.0.0