DDoS deflate is a very small tool for defense and mitigation of DDoS attacks. It can create a large number of IP address information of Internet connection by monitoring netstat, and prohibit or block these non IP addresses through IPTABLES.
It must be downloaded and installed in the terminal account under root authority. The specific commands are as follows:
wget https://github.com/jgmdev/ddos-deflate/archive/master.zip unzip master.zip cd ddos-deflate-master ./install.sh
Similarly, execute the following command under the root account to uninstall DDoS Deflate.
cd ddos-deflate-master ./uninstall.sh
Use of DDoS Deflate
The installer will automatically check whether the init.d script is supported by the system. If it is supported, it will install the file and the DDoS apropiate of the startup script. In the case of initialization. DDoS Deflate starts as a daemons, and its monitoring interval is set to 5 seconds by default.
[root@youxi1 ddos-deflate-master]# vim /etc/ddos/ddos.conf / / view the configuration file //Paths to scripts and other files # Paths of the script and other files PROGDIR="/usr/local/ddos" SBINDIR="/usr/local/sbin" PROG="$PROGDIR/ddos.sh" //Execution script address IGNORE_IP_LIST="ignore.ip.list" //IP address white list IGNORE_HOST_LIST="ignore.host.list" //Host white list CRON="/etc/cron.d/ddos" //Scheduled task file address //Firewall command address APF="/usr/sbin/apf" CSF="/usr/sbin/csf" IPF="/sbin/ipfw" IPT="/sbin/iptables" IPT6="/sbin/ip6tables" TC="/sbin/tc" //Line 22, check the DDos interval, default 1 minute FREQ=1 //Line 25, how often does it run as a daemons, in seconds DAEMON_FREQ=5 //Line 28, the maximum number of connections. If the number exceeds this value, IP will be disabled. Generally, it is OK by default NO_OF_CONNECTIONS=150 //Line 33. If it is true, only access connections will be counted, which will be slower than in/out statistics ONLY_INCOMING=false //Line 38, when it is true, the script will use tcpdump to scan the CF connecting IP header labels sent by CloudFlare server, //And prohibit using iptables string matching module ENABLE_CLOUDFLARE=false //Line 43, enable port when true_ Connections, and ONLY_INCOMING is the same, but slower ENABLE_PORTS=false //Line 54, port connection detection, allocate listening rules for each port, the format is "port (or port): maximum connections: disable time (in seconds)" PORT_CONNECTIONS="80:150:600 443:150:600 20-21:150:600" //Line 58, firewall used, including auto, apf, csf, ipfw, and iptables FIREWALL="auto" //Line 62, when ip is blocked, send mail to the specified mailbox EMAIL_TO="root" //Line 65, IP inhibit time, in seconds BAN_PERIOD=600 //Line 71, connection status to block, separated by colons, for example: ES tablished:syn-sent :syn- recv:fin-wait-1 :fin-wait-2 //In this example, by default, all statuses except listening and closing are blocked. See man ss for status details CONN_STATES="connected" //Line 74, the connection status to be blocked when netstat is used. See man netstat for the status. In theory, the above is the connection state blocked when using ss? CONN_STATES_NS="ESTABLISHED|SYN_SENT|SYN_RECV|FIN_WAIT1|FIN_WAIT2|TIME_WAIT|CLOSE_WAIT|LAST_ACK|CLOSING" //Line 78, whether to monitor the bandwidth used by each ip, and reduce the rate when exceeding (iftop and tc commands are required) BANDWIDTH_CONTROL=false //Line 82, trigger the bandwidth rate of deceleration, currently support kbit and mbit BANDWIDTH_CONTROL_LIMIT="1896kbit" //Line 87, when the deceleration is triggered, the speed will be at the upper limit within the specified time period BANDWIDTH_DROP_RATE="512kbit" //Line 91, the time period of deceleration, in seconds, i.e. there will be an upper speed limit in 600 seconds BANDWIDTH_DROP_PERIOD=600 //Line 95, if true, only the data received from the client is considered, not the data sent from the server to the client BANDWIDTH_ONLY_INCOMING=true
Note: in the configuration file, enable_ When the ports (line 43) parameter is on, PORT_CONNECTIONS (line 54) to use; bandwidth_ When the control (line 78) parameter is on, BANDWIDTH_CONTROL_LIMIT (line 82), BANDWIDTH_DROP_RATE (line 87), BANDWIDTH_DROP_PERIOD (line 91), BANDWIDTH_ONLY_INCOMING (line 95) can be used.
View scheduled crond execution tasks / usr/local/ddos/ddos.sh
# crontab -l
Add power on task:
# chkconfig ddos on
# ddos DDoS-Deflate version 1.3 Copyright (C) 2005, Zaf <firstname.lastname@example.org> Usage: ddos [OPTIONS] [N] N : number of tcp/udp connections (default 50) OPTIONS: -h | --help: Show this help screen -c | --cron: Create cron job to run this script regularly (default 1 mins) -i | --ignore-list: List whitelisted ip addresses -b | --bans-list: List currently banned ip addresses. -u | --unban: Unbans a given ip address. -d | --start: Initialize a daemon to monitor connections -s | --stop: Stop the daemon -t | --status: Show status of daemon and pid if currently running -v[4|6] | --view [4|6]: Display active connections to the server -y[4|6] | --view-port [4|6]: Display active connections to the server including the port -f | --traffic-list: List bandwidth control rules. -p | --ports: List port blocking rules. -k | --kill: Block all ip addresses making more than N connections