Use DDoS deflate to protect against a small number of DDoS attacks

Ddos-deflate is a very small tool for defense and mitigation of DDoS attacks, which can be tracked by monitoring netstat to create IP address information for a large number of Internet connections, by blocking or blocking these very IP addresses via APF or iptables.

We can use the Netstat command to view the status of the current system connection and whether it is compromised by a DDoS attack

[Email protected] ~]# Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

1. Installing DDoS deflate

wget http://www.inetbase.com/scripts/ddos/install.sh

Chmod 0700 install.sh

./install.sh

2. Configuring DDoS Deflate

The following is the default configuration of the DDoS deflate in/usr/local/ddos/ddos.conf, which reads as follows:

##### Paths of the script and other files

Progdir= "/usr/local/ddos"

Prog= "/usr/local/ddos/ddos.sh"

Ignore_ip_list= "/usr/local/ddos/ignore.ip.list" #IP地址白名单

cron= "/etc/cron.d/ddos.cron" #定时执行程序

apf= "/etc/apf/apf"

ipt= "/sbin/iptables"

##### frequency in minutes for running the script

##### caution:every time This setting is changed, run the script With–cron

##### option So, the new frequency takes effect

Freq=1 #检查时间间隔, default 1 minutes

##### How many connections define a bad IP? indicate that below.

　　no_of_connections=150 #最大连接数, more than this number of IP will be blocked, the general default can be

##### apf_ban=1 (Make sure your APF version is atleast 0.96)

##### apf_ban=0 (Uses iptables for banning IPs instead of APF)

　　apf_ban=0 #使用APF还是iptables. It is recommended to use Iptables to change the value of Apf_ban to 0.

##### kill=0 (Bad IPs is ' NT banned, good for interactive execution of script)

##### kill=1 (Recommended setting)

Kill=1 #是否屏蔽IP, default

##### an e-mail is sent to the following address when a IP is banned.

##### Blank would suppress sending of mails

email_to= "Root" #当IP被屏蔽时给指定邮箱发送邮件, recommended to use, change to their own mailbox

##### number of seconds the banned IP should remain in blacklist.

ban_period=600 #禁用IP时间, default 600 seconds, can be adjusted according to the situation

Users can modify the configuration file according to the comment prompt content that is added to the default profile.

View line 117th of the/usr/local/ddos/ddos.sh file

Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-nr > $BAD _ip_list

Modify it to the following code!

Netstat-ntu | awk ' {print $} ' | cut-d:-f1 | sed-n '/[0-9]/p ' | sort | uniq-c | Sort-nr > $BAD _ip_list

Users can also use the web stress test software AB to test the effect, believe that DDoS deflate can also give your VPS or server to defend against a part of the DDoS attacks, to your site more protection.

AB Command installation: #yum install Httpd-tools-y

3. uninstalling DDoS deflate

wget Http://www.inetbase.com/scripts/ddos/uninstall.ddos

Chmod 0700 Uninstall.ddos

./uninstall.ddos

Use DDoS deflate to protect against a small number of DDoS attacks