DDoS Deflate: blocking denial of service attack

DDoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

netstat -an | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

IP addresses with over a pre-configured number of connections are automatically blocked in the server’s firewall, which can be direct ipfw, iptables, or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)

Notable Features

• It is possible to whitelist IP addresses, via /etc/ddos/ignore.ip.list.
• It is possible to whitelist hostnames, via /etc/ddos/ignore.host.list.
• Simple configuration file: /etc/ddos/ddos.conf
• IP addresses are automatically unblocked after a pre-configured time limit (default: 600 seconds)
• The script can run as a cron job at chosen frequency via the configuration file (default: 1 minute)
• The script can run as a daemon at chosen frequency via the configuration file (default: 5 seconds)
• You can receive email alerts when IP addresses are blocked.
• Control blocking by connection state (see man netstat).
• Auto-detection of firewall.
• Support for APF, CSF, ipfw, and iptables.
• Logs events to /var/log/ddos.log
• Uses tcpkill to reduce the amount of processes opened by attackers.

Installation

wget https://github.com/jgmdev/ddos-deflate/archive/master.zip
unzip master.zip
cd ddos-deflate-master
./install.sh

Uninstallation

cd ddos-deflate-master
./uninstall.sh

Usage

The installer will automatically detect if your system supports init.d scripts, systemd services or cron jobs. If one of them is found it will install appropriate files and start the ddos script. In the case of init.d and systemd, the ddos script is started as a daemon, which monitoring interval is set at 5 seconds by default. The daemon is many faster-detecting attacks than the cron job since Cron’s are capped at 1-minute intervals.

Once you have (D)Dos deflate installed proceed to modify the config files to fit your needs.

/etc/ddos/ignore.host.list

On this file you can add a list of hostnames to be whitelisted, for example:

googlebot.com
my-dynamic-ip.somehost.com

/etc/ddos/ignore.ip.list

On this file you can add a list of ip addresses to be whitelisted, for example:

12.43.63.13
129.134.131.2

/etc/ddos/ddos.conf

The behavior of the ddos script is modified by this configuration file. For more details see man ddos which has documentation of the different configuration options.

After you modify the config files you will need to restart the daemon. If running on systemd:

systemctl restart ddos

If running as classical init.d script:

/etc/init.d/ddos restart
or
service ddos restart

When running the script as a cronjob no restarting is required.

Zaf zaf@vsnl.com (Copyright (C) 2005)

Source: https://github.com/jgmdev/