Summary of anti-DDOS attack methods in Linux

Source: Internet
Author: User

In linux, the most common way to defend against ddos attacks is to install DDoS deflate to prevent or mitigate ddos attacks. However, there are other methods to use. I will introduce them below.

Introduction to DDoS deflate

DDoS deflate is a free script for defending against and mitigating DDoS attacks. It uses netstat to monitor and track the creation of a large number of IP addresses connected to the network. When detecting that a node exceeds the preset limit, the program will disable or block these IP addresses through the filters or IPTABLES.

DDoS deflate Official Website: http://deflate.medialayer.com/

How can I determine whether a DDOS attack is triggered? Run:

The Code is as follows: Copy code

Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n

After the command is executed, the number of connections from each IP address on the server is displayed.

The following are the results of my own VPS test:

The Code is as follows: Copy code

Li88-99 :~ # Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n
1 114.226.9.132
1 174.129.237.157
1 58.60.118.142
1 Address
1 servers)
2 118.26.131.78
3 123.125.1.202
3 220.248.43.119
4 117.36.231.253
4 119.162.46.124
6 219.140.232.128
8 220.181.61.31
2311 67.215.242.196

The number of connections per IP address, IP address, or IP address is normal. If the number of connections is hundreds of thousands, it is not normal.

1. Install DDoS deflate123 wget http://www.inetbase.com/scripts/ddos/install.sh // download DDoS deflate

The Code is as follows: Copy code
Chmod 0700 install. sh // Add Permissions
./Install. sh // Execute

2. Configure DDoS deflate. The default configuration of DDoS deflate is in/usr/local/ddos. conf. The content is as follows:

The Code is as follows: Copy code
##### Paths of the script and other files
PROGDIR = "/usr/local/ddos"
PROG = "/usr/local/ddos. sh"
IGNORE_IP_LIST = "/usr/local/ddos/ignore. ip. list" // ip address whitelist
CRON = "/etc/cron. d/ddos. cron" // scheduled execution Program
<G id = "1"> </etc/</G>"
EPT = "/sbin/iptables"

##### Frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with -- cron
##### Option so that the new frequency takes effect
FREQ = 1 // check interval. The default value is 1 minute.

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS = 150 // The maximum number of connections. IP addresses exceeding this value will be blocked. Generally, the default value is enough.

##### APF_BAN = 1 (Make sure your APL version is atleast 0.96)
##### APF_BAN = 0 (Uses iptables for banning ips instead of APT)
APF_BAN = 1 // whether to use the public IP address whitelist or iptables. We recommend that you use iptables to change the value of APF_BAN to 0.

##### KILL = 0 (Bad IPs are 'nt banned, good for interactive execution of script)
##### KILL = 1 (Recommended setting)
KILL = 1 // whether the IP address is blocked. The default value is enough.

##### An email is sent to the following address when an IP is banned.
##### Blank wocould suppress sending of mails
EMAIL_TO = "root" // when the IP address is blocked, send an email to the specified email address. We recommend that you use it in your own email address.

##### Number of seconds the banned ip shoshould remain in blacklist.
BAN_PERIOD = 600 // IP address disabling time. The default value is 600 seconds. It can be adjusted as needed.

You can modify the configuration file according to the remarks on the default configuration file.


View the 117th rows of the/usr/local/ddos. sh file (some need to be personalized, and modify it if the default value is invalid)

The Code is as follows: Copy code

Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-nr> $ BAD_IP_LIST

Modify it to the following code!

The Code is as follows: Copy code

Netstat-ntu | awk '{print $5}' | cut-d: -f1 | sed-n'/[0-9]/P' | sort | uniq-c | sort-nr> $ BAD_IP_LIST

If you like it, you can use Web stress testing software to test the effect. I believe that DDoS deflate can still defend your VPS or server against some DDOS attacks and provide more protection for your website.


In addition to this method, we recommend a method to defend against ddos attacks.

Script

The Code is as follows: Copy code

Wget http://www.inetbase.com/scripts/ddos/install.sh
Chmod + x install. sh
./Install. sh

To uninstall

The Code is as follows: Copy code

Wget http://www.inetbase.com/scripts/ddos/uninstall.sh
Chmod + x uninstall. sh
./Uninstall. sh

Then the installation is successful. It should be okay for general ddos attacks.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.