In linux, the most common way to defend against ddos attacks is to install DDoS deflate to prevent or mitigate ddos attacks. However, there are other methods to use. I will introduce them below.
Introduction to DDoS deflate
DDoS deflate is a free script for defending against and mitigating DDoS attacks. It uses netstat to monitor and track the creation of a large number of IP addresses connected to the network. When detecting that a node exceeds the preset limit, the program will disable or block these IP addresses through the filters or IPTABLES.
DDoS deflate Official Website: http://deflate.medialayer.com/
How can I determine whether a DDOS attack is triggered? Run:
The Code is as follows: |
Copy code |
Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n |
After the command is executed, the number of connections from each IP address on the server is displayed.
The following are the results of my own VPS test:
The Code is as follows: |
Copy code |
Li88-99 :~ # Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n 1 114.226.9.132 1 174.129.237.157 1 58.60.118.142 1 Address 1 servers) 2 118.26.131.78 3 123.125.1.202 3 220.248.43.119 4 117.36.231.253 4 119.162.46.124 6 219.140.232.128 8 220.181.61.31 2311 67.215.242.196 |
The number of connections per IP address, IP address, or IP address is normal. If the number of connections is hundreds of thousands, it is not normal.
1. Install DDoS deflate123 wget http://www.inetbase.com/scripts/ddos/install.sh // download DDoS deflate
The Code is as follows: |
Copy code |
Chmod 0700 install. sh // Add Permissions ./Install. sh // Execute |
2. Configure DDoS deflate. The default configuration of DDoS deflate is in/usr/local/ddos. conf. The content is as follows:
The Code is as follows: |
Copy code |
##### Paths of the script and other files PROGDIR = "/usr/local/ddos" PROG = "/usr/local/ddos. sh" IGNORE_IP_LIST = "/usr/local/ddos/ignore. ip. list" // ip address whitelist CRON = "/etc/cron. d/ddos. cron" // scheduled execution Program <G id = "1"> </etc/</G>" EPT = "/sbin/iptables"
##### Frequency in minutes for running the script ##### Caution: Every time this setting is changed, run the script with -- cron ##### Option so that the new frequency takes effect FREQ = 1 // check interval. The default value is 1 minute.
##### How many connections define a bad IP? Indicate that below. NO_OF_CONNECTIONS = 150 // The maximum number of connections. IP addresses exceeding this value will be blocked. Generally, the default value is enough.
##### APF_BAN = 1 (Make sure your APL version is atleast 0.96) ##### APF_BAN = 0 (Uses iptables for banning ips instead of APT) APF_BAN = 1 // whether to use the public IP address whitelist or iptables. We recommend that you use iptables to change the value of APF_BAN to 0.
##### KILL = 0 (Bad IPs are 'nt banned, good for interactive execution of script) ##### KILL = 1 (Recommended setting) KILL = 1 // whether the IP address is blocked. The default value is enough.
##### An email is sent to the following address when an IP is banned. ##### Blank wocould suppress sending of mails EMAIL_TO = "root" // when the IP address is blocked, send an email to the specified email address. We recommend that you use it in your own email address.
##### Number of seconds the banned ip shoshould remain in blacklist. BAN_PERIOD = 600 // IP address disabling time. The default value is 600 seconds. It can be adjusted as needed.
|
You can modify the configuration file according to the remarks on the default configuration file.
View the 117th rows of the/usr/local/ddos. sh file (some need to be personalized, and modify it if the default value is invalid)
The Code is as follows: |
Copy code |
Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-nr> $ BAD_IP_LIST |
Modify it to the following code!
The Code is as follows: |
Copy code |
Netstat-ntu | awk '{print $5}' | cut-d: -f1 | sed-n'/[0-9]/P' | sort | uniq-c | sort-nr> $ BAD_IP_LIST |
If you like it, you can use Web stress testing software to test the effect. I believe that DDoS deflate can still defend your VPS or server against some DDOS attacks and provide more protection for your website.
In addition to this method, we recommend a method to defend against ddos attacks.
Script
The Code is as follows: |
Copy code |
Wget http://www.inetbase.com/scripts/ddos/install.sh Chmod + x install. sh ./Install. sh |
To uninstall
The Code is as follows: |
Copy code |
Wget http://www.inetbase.com/scripts/ddos/uninstall.sh Chmod + x uninstall. sh ./Uninstall. sh |
Then the installation is successful. It should be okay for general ddos attacks.