DDoS deflate is a very small tool for defense and mitigation of DDoS attacks. It can create a large number of IP address information of Internet connection by monitoring netstat, and prohibit or block these non IP addresses through IPTABLES.

It must be downloaded and installed in the terminal account under root authority. The specific commands are as follows:

wget https://github.com/jgmdev/ddos-deflate/archive/master.zip
unzip master.zip
cd ddos-deflate-master
./install.sh

Similarly, execute the following command under the root account to uninstall DDoS Deflate.

cd ddos-deflate-master
./uninstall.sh

Use of DDoS Deflate

The installer will automatically check whether the init.d script is supported by the system. If it is supported, it will install the file and the DDoS apropiate of the startup script. In the case of initialization. DDoS Deflate starts as a daemons, and its monitoring interval is set to 5 seconds by default.

[root@youxi1 ddos-deflate-master]# vim /etc/ddos/ddos.conf / / view the configuration file
//Paths to scripts and other files
# Paths of the script and other files
PROGDIR="/usr/local/ddos"
SBINDIR="/usr/local/sbin"
PROG="$PROGDIR/ddos.sh"　　//Execution script address
IGNORE_IP_LIST="ignore.ip.list"　　//IP address white list
IGNORE_HOST_LIST="ignore.host.list"　　//Host white list
CRON="/etc/cron.d/ddos"　　//Scheduled task file address
//Firewall command address
APF="/usr/sbin/apf"
CSF="/usr/sbin/csf"
IPF="/sbin/ipfw"
IPT="/sbin/iptables"
IPT6="/sbin/ip6tables"
TC="/sbin/tc"
//Line 22, check the DDos interval, default 1 minute
FREQ=1
//Line 25, how often does it run as a daemons, in seconds
DAEMON_FREQ=5
//Line 28, the maximum number of connections. If the number exceeds this value, IP will be disabled. Generally, it is OK by default
NO_OF_CONNECTIONS=150
//Line 33. If it is true, only access connections will be counted, which will be slower than in/out statistics
ONLY_INCOMING=false
//Line 38, when it is true, the script will use tcpdump to scan the CF connecting IP header labels sent by CloudFlare server,
//And prohibit using iptables string matching module
ENABLE_CLOUDFLARE=false
//Line 43, enable port when true_ Connections, and ONLY_INCOMING is the same, but slower
ENABLE_PORTS=false
//Line 54, port connection detection, allocate listening rules for each port, the format is "port (or port): maximum connections: disable time (in seconds)"
PORT_CONNECTIONS="80:150:600 443:150:600 20-21:150:600"
//Line 58, firewall used, including auto, apf, csf, ipfw, and iptables
FIREWALL="auto"
//Line 62, when ip is blocked, send mail to the specified mailbox
EMAIL_TO="root"
//Line 65, IP inhibit time, in seconds
BAN_PERIOD=600
//Line 71, connection status to block, separated by colons, for example: ES tablished:syn-sent :syn- recv:fin-wait-1 :fin-wait-2
//In this example, by default, all statuses except listening and closing are blocked. See man ss for status details
CONN_STATES="connected"
//Line 74, the connection status to be blocked when netstat is used. See man netstat for the status. In theory, the above is the connection state blocked when using ss?
CONN_STATES_NS="ESTABLISHED|SYN_SENT|SYN_RECV|FIN_WAIT1|FIN_WAIT2|TIME_WAIT|CLOSE_WAIT|LAST_ACK|CLOSING"
//Line 78, whether to monitor the bandwidth used by each ip, and reduce the rate when exceeding (iftop and tc commands are required)
BANDWIDTH_CONTROL=false
//Line 82, trigger the bandwidth rate of deceleration, currently support kbit and mbit
BANDWIDTH_CONTROL_LIMIT="1896kbit"
//Line 87, when the deceleration is triggered, the speed will be at the upper limit within the specified time period
BANDWIDTH_DROP_RATE="512kbit"
//Line 91, the time period of deceleration, in seconds, i.e. there will be an upper speed limit in 600 seconds
BANDWIDTH_DROP_PERIOD=600
//Line 95, if true, only the data received from the client is considered, not the data sent from the server to the client
BANDWIDTH_ONLY_INCOMING=true

Note: in the configuration file, enable_ When the ports (line 43) parameter is on, PORT_CONNECTIONS (line 54) to use; bandwidth_ When the control (line 78) parameter is on, BANDWIDTH_CONTROL_LIMIT (line 82), BANDWIDTH_DROP_RATE (line 87), BANDWIDTH_DROP_PERIOD (line 91), BANDWIDTH_ONLY_INCOMING (line 95) can be used.

View scheduled crond execution tasks / usr/local/ddos/ddos.sh

# crontab -l

Add power on task:

# chkconfig ddos on

DDOS command

# ddos

DDoS-Deflate version 1.3
Copyright (C) 2005, Zaf <zaf@vsnl.com>

Usage: ddos [OPTIONS] [N]
N : number of tcp/udp connections (default 50)

OPTIONS:
-h      | --help: Show this help screen
-c      | --cron: Create cron job to run this script regularly (default 1 mins)
-i      | --ignore-list: List whitelisted ip addresses
-b      | --bans-list: List currently banned ip addresses.
-u      | --unban: Unbans a given ip address.
-d      | --start: Initialize a daemon to monitor connections
-s      | --stop: Stop the daemon
-t      | --status: Show status of daemon and pid if currently running
-v[4|6] | --view [4|6]: Display active connections to the server
-y[4|6] | --view-port [4|6]: Display active connections to the server including the port
-f      | --traffic-list: List bandwidth control rules.
-p      | --ports: List port blocking rules.
-k      | --kill: Block all ip addresses making more than N connections