(1) .
DDoS concept
Distributed denial of service attack (DDoS) refers to that multiple attackers in different locations attack one or more targets at the same time, or one attacker controls multiple machines in different locations and uses these machines to attack the victims simultaneously. Because the attack points are distributed in different places, this kind of attack is called distributed denial of service attack, in which there are multiple attackers.
Defense against
DDoS is a system engineering, which has many attack patterns, high defense cost and many bottlenecks, which makes defense passive and helpless. The characteristic of DDoS is distributed. For bandwidth and service attacks, namely, four layer traffic attack and seven layer application attack, the corresponding defense bottleneck is four layer in bandwidth, and seven layer is multi in architecture throughput. For the seven layer application attack, we can still do some configuration to defend, for example, the front-end is nginx, mainly using nginx's http_ limit_ Conn and http_ limit_ Req module to defend. ngx_ http_ limit_ conn_ Module can limit the number of connections of a single IP, NGX_ http_ limit_ req_ Module can limit the number of requests per second of a single IP. By limiting the number of connections and requests, it can relatively effectively defend against CC attacks.
(2) . write scripts to view DDoS attacks
[ root@youxi1 ~]# yum -y install net-tools
[ root@youxi1 ~]# vim ddos- ip.sh
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
[ root@youxi1 ~]# chmod +x ddos- ip.sh
Note: netstat - NTU view network related information, - N reject alias (show ip address and port number), - t is TCP protocol, - u is UDP protocol;
Awk '{print $5}' takes the fifth parameter of network information with space as the separator;
The information is passed in the form of - F1, and the information is taken as the separator of - 1;
Sort sort;
Uniq - C was removed and counted;
Sort - n is sorted according to the value comparison of strings, that is, the value size comparison of comparison statistics.
Extension: SS command can also view network related monitoring, and the execution speed is faster than netstat command, but SS command execution command is slightly different SS - Antu | awk '{print $6}' | cut - D: - F4 | uniq - C | sort - n. In addition, the two commands count the network connection information within one minute.
Simulated DDoS attack
[ root@youxi1 ~]#Yum - y install httpd / / the pressure test command AB is required
[ root@youxi1 ~]# ab -n 100 -c 10 http://192.168.5.101/index.html
//Execute script now
[ root@youxi1 ~]# ./ddos- ip.sh
Address
servers)
192.168.5.1
101 192.168.5.101
(3) . defense against DDoS Attacks
Methods to prevent DDoS: adding firewall rules, increasing bandwidth, increasing servers, using cDNA technology, advanced defense servers and ISPs with traffic cleaning, traffic cleaning services, etc., as well as the self-contained defense functions in the previous section, such as nginx: nginx preventing DDoS attack configuration or nginx tuning (2).
The most common rule is to add firewall rules. If the number of IP addresses is small, you can add them manually. If you have a large number of IP addresses, you will use software to automatically add them. For example, fail2ban (you can judge whether to use iptables to intercept by analyzing the log. Firewalld firewall is supported. Details: https://blog.csdn.net/qq_ 23587541 / article / details / 84190650), DDoS deflate (judge the number of IP connections through netstat and shield with iptables).
1) Introduction to DDoS deflate
DDoS deflate is a free script used to prevent and mitigate DDoS attacks. It monitors and tracks the IP addresses of a large number of network connections through netstat monitoring. When a node is detected to exceed the preset limit, the program will prohibit or block these IP addresses through APF or iptables.
2) Installation
Download address: https://github.com/jgmdev/ddos-deflate (the SS command doesn't seem to be debugged properly)
Inetbase download address: http://www.inetbase.com/scripts/ddos/
download install.sh The file is uploaded to the server. I use GitHub to download. This is a zip file. Unzip needs to be installed
[ root@youxi1 ~]# yum -y install unzip
[ root@youxi1 ~]# unzip ddos-deflate- master.zip
[ root@youxi1 ~]# cd ddos-deflate-master/
[ root@youxi1 ddos-deflate-master]# ls
ChangeLog install.sh Makefile README.md uninstall.sh
config LICENSE man src
[ root@youxi1 ddos-deflate-master]# ll install.sh
-Rwxr-xr-x 1 root root 5788 May 29 23:36 install.sh
[ root@youxi1 ddos-deflate-master]# ./ install.sh //Execute the installation, which is Yum installation
//The installation address appears at the end
Installation has completed!
Config files are located at /etc/ddos/
[ root@youxi1 ddos-deflate-master]# ls /etc/ddos/
ddos.conf ignore.host.list ignore.ip.list
View profile
[ root@youxi1 ddos-deflate-master]# vim /etc/ddos/ ddos.conf //View profile
//Paths to scripts and other files
# Paths of the script and other files
PROGDIR="/usr/local/ddos"
SBINDIR="/usr/local/sbin"
PROG="$PROGDIR/ ddos.sh "/ / execution script address
IGNORE_ IP_ LIST=" ignore.ip.list "/ / IP address whitelist list
IGNORE_ HOST_ LIST=" ignore.host.list "/ / host whitelist list
Cron = / etc / cron. D / DDoS "/ / address of scheduled task file
//Firewall command address
APF="/usr/sbin/apf"
CSF="/usr/sbin/csf"
IPF="/sbin/ipfw"
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"
TC="/sbin/tc"
//Line 22, check the DDoS interval. The default is 1 minute
FREQ=1
//Line 25, the frequency, in seconds, of running as a daemons
DAEMON_ FREQ=5
//Line 28, the maximum number of connections. After exceeding this value, IP will be disabled. Generally, it can be set by default
NO_ OF_ CONNECTIONS=150
//In line 33, if it is true, only access connections are counted, which is slower than in / out
ONLY_ INCOMING=false
//Line 38, when true, the script will use tcpdump to scan the CF connecting IP header tags sent by cloudflare server,
//And the use of iptables string matching module is prohibited
ENABLE_ CLOUDFLARE=false
//Line 43, enable port when true_ Connections, and only_ Incoming is the same, but slower
ENABLE_ PORTS=false
//Line 54, port connection detection, assign listening rules to each port in the format of "port (or port end): maximum number of connections: disable time (in seconds)"
PORT_ CONNECTIONS="80:150:600 443:150:600 20-21:150:600"
//Line 58, the firewalls used include auto, APF, CSF, ipfw, and iptables
FIREWALL="auto"
//Line 62, when IP is blocked, it sends mail to the specified mailbox
EMAIL_ TO="root"
//Line 65, IP disable time, in seconds
BAN_ PERIOD=600
//Line 71, the connection states to block, separated by colons, for example: es tablished:syn-sent :syn- recv:fin-wait-1 :fin-wait-2
//By default, this example will block all States except listening and closing. For details, please refer to man SS
CONN_ STATES="connected"
//Line 74, the connection state to block when using netstat. See man netstat for the status. In theory, is the connection state blocked when using ss?
CONN_ STATES_ NS="ESTABLISHED|SYN_ SENT|SYN_ RECV|FIN_ WAIT1|FIN_ WAIT2|TIME_ WAIT|CLOSE_ WAIT|LAST_ ACK|CLOSING"
//Line 78, whether to monitor the bandwidth used by each IP, and reduce the rate if it exceeds the limit (requires the command of iftop and TC)
BANDWIDTH_ CONTROL=false
//Line 82, the bandwidth rate that triggers the spin down. Kbit and Mbit are currently supported
BANDWIDTH_ CONTROL_ LIMIT="1896kbit"
//Line 87, when the deceleration is triggered, the upper limit of the rate will be set within the specified time period
BANDWIDTH_ DROP_ RATE="512kbit"
//Line 91, the time period of deceleration, in seconds, i.e. 600 seconds, will have a rate limit
BANDWIDTH_ DROP_ PERIOD=600
//Line 95, if true, only the data received from the client is considered, not the data sent to the client by the server
BANDWIDTH_ ONLY_ INCOMING=true
Note: in the configuration file, enable_ When the ports (line 43) parameter is on, port_ Connections (line 54); bandwidth_ When the control (line 78) parameter is on, bandwidth_ CONTROL_ Limit (line 82), bandwidth_ DROP_ Rate (line 87), bandwidth_ DROP_ Period (line 91), bandwidth_ ONLY_ Incoming (line 95) can be used.
In addition, the latest DDoS deflate supports systemctl command management
[ root@youxi1 ~]# systemctl status ddos
● ddos.service - (D)Dos Deflate
Loaded: loaded (/usr/lib/systemd/system/ ddos.service ; enabled; vendor preset: disabled)
Active: active (running) since 6-2019-08-31 17:40:05 CST; 8min ago
Process: 1126 ExecStart=/usr/local/sbin/ddos --start (code=exited, status=0/SUCCESS)
Main PID: 1163 ( ddos.sh )
CGroup: / system.slice/ddos .service
├─1163 /bin/sh /usr/local/ddos/ ddos.sh -l
└─4375 sleep 5
August 31 17:40:04 youxi1 SYSTEMd [1]: starting (d) DOS deflate
August 31 17:40:05 youxi1 DDoS
August 31 17:40:05 youxi1 SYSTEMd [1]: started (d) DOS deflate
Since DDoS deflate does not support firewalld at present, iptables needs to be installed
[ root@youxi1 ~]# systemctl stop firewalld
[ root@youxi1 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi- user.target.wants/firewalld .service.
Removed symlink /etc/systemd/system/dbus- org.fedoraproject.FirewallD1 .service.
[ root@youxi1 ~]# yum -y install iptables-services
[ root@youxi1 ~]# systemctl start iptables
[ root@youxi1 ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/ basic.target.wants/iptables .service to /usr/lib/systemd/system/ iptables.service .<br>[ root@youxi1 ~]#Iptables - F / / clearing rule is convenient for experiment
Note: the latest version of DDoS deflate 1.3 (GitHub download) uses the SS command. However, when the SS command uses the - NTU option, the completed network connections are not counted. I personally feel that it is not as good as the original (inetbase download). For the original use, please see: https://blog.csdn.net/huangyuxin_ /article/details/100116403
3) Uninstall
Operation/ uninstall.sh Namely
