CentOS 6.X installs ddos deflate to defend against ddos Attacks

Posted by vurentjie on Fri, 22 May 2020 16:45:29 +0200

DDoS deflate is a very small tool for defense and mitigation of DDoS attacks. It can create a large number of IP address information of Internet connection by monitoring netstat, and prohibit or block these non IP addresses through IPTABLES.

It must be downloaded and installed in the terminal account under root authority. The specific commands are as follows:

wget https://github.com/jgmdev/ddos-deflate/archive/master.zip
unzip master.zip
cd ddos-deflate-master

Similarly, execute the following command under the root account to uninstall DDoS Deflate.

cd ddos-deflate-master

Use of DDoS Deflate

The installer will automatically check whether the init.d script is supported by the system. If it is supported, it will install the file and the DDoS apropiate of the startup script. In the case of initialization. DDoS Deflate starts as a daemons, and its monitoring interval is set to 5 seconds by default.

[root@youxi1 ddos-deflate-master]# vim /etc/ddos/ddos.conf / / view the configuration file
//Paths to scripts and other files
# Paths of the script and other files
PROG="$PROGDIR/ddos.sh"  //Execution script address
IGNORE_IP_LIST="ignore.ip.list"  //IP address white list
IGNORE_HOST_LIST="ignore.host.list"  //Host white list
CRON="/etc/cron.d/ddos"  //Scheduled task file address
//Firewall command address
//Line 22, check the DDos interval, default 1 minute
//Line 25, how often does it run as a daemons, in seconds
//Line 28, the maximum number of connections. If the number exceeds this value, IP will be disabled. Generally, it is OK by default
//Line 33. If it is true, only access connections will be counted, which will be slower than in/out statistics
//Line 38, when it is true, the script will use tcpdump to scan the CF connecting IP header labels sent by CloudFlare server,
//And prohibit using iptables string matching module
//Line 43, enable port when true_ Connections, and ONLY_INCOMING is the same, but slower
//Line 54, port connection detection, allocate listening rules for each port, the format is "port (or port): maximum connections: disable time (in seconds)"
PORT_CONNECTIONS="80:150:600 443:150:600 20-21:150:600"
//Line 58, firewall used, including auto, apf, csf, ipfw, and iptables
//Line 62, when ip is blocked, send mail to the specified mailbox
//Line 65, IP inhibit time, in seconds
//Line 71, connection status to block, separated by colons, for example: ES tablished:syn-sent :syn- recv:fin-wait-1 :fin-wait-2
//In this example, by default, all statuses except listening and closing are blocked. See man ss for status details
//Line 74, the connection status to be blocked when netstat is used. See man netstat for the status. In theory, the above is the connection state blocked when using ss?
//Line 78, whether to monitor the bandwidth used by each ip, and reduce the rate when exceeding (iftop and tc commands are required)
//Line 82, trigger the bandwidth rate of deceleration, currently support kbit and mbit
//Line 87, when the deceleration is triggered, the speed will be at the upper limit within the specified time period
//Line 91, the time period of deceleration, in seconds, i.e. there will be an upper speed limit in 600 seconds
//Line 95, if true, only the data received from the client is considered, not the data sent from the server to the client

Note: in the configuration file, enable_ When the ports (line 43) parameter is on, PORT_CONNECTIONS (line 54) to use; bandwidth_ When the control (line 78) parameter is on, BANDWIDTH_CONTROL_LIMIT (line 82), BANDWIDTH_DROP_RATE (line 87), BANDWIDTH_DROP_PERIOD (line 91), BANDWIDTH_ONLY_INCOMING (line 95) can be used.

View scheduled crond execution tasks / usr/local/ddos/ddos.sh

# crontab -l

Add power on task:

# chkconfig ddos on

DDOS command

# ddos

DDoS-Deflate version 1.3
Copyright (C) 2005, Zaf <zaf@vsnl.com>

Usage: ddos [OPTIONS] [N]
N : number of tcp/udp connections (default 50)

-h      | --help: Show this help screen
-c      | --cron: Create cron job to run this script regularly (default 1 mins)
-i      | --ignore-list: List whitelisted ip addresses
-b      | --bans-list: List currently banned ip addresses.
-u      | --unban: Unbans a given ip address.
-d      | --start: Initialize a daemon to monitor connections
-s      | --stop: Stop the daemon
-t      | --status: Show status of daemon and pid if currently running
-v[4|6] | --view [4|6]: Display active connections to the server
-y[4|6] | --view-port [4|6]: Display active connections to the server including the port
-f      | --traffic-list: List bandwidth control rules.
-p      | --ports: List port blocking rules.
-k      | --kill: Block all ip addresses making more than N connections

Topics: Programming iptables firewall github vim