Pages

Tuesday, 5 June 2012

使用DDos deflate简单防止DDOS攻击



使用netstat命令,查看VPS当前链接确认是否受到攻击:
  • netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
IP前面的数字,即为连接数,如果说正常网站,几十到一百都属于正常连接,但出现几百,或上千的就可以垦定这个IP与你的VPS之间可能存在可疑连接现象。
可以使用iptables直接BAN了这个IP的永久访问:
  • iptables -A INPUT -s 12.34.56.78 -j DROP
介绍给大家一种方法,是使用软件DDos deflate来自动检测并直接BAN掉的方法,首先我们要确认一下iptables服务状态,默认CENTOS就安装的,不看也行。
  • service iptables status
安装DDos deflat:
安装后需要修改/usr/local/ddos/ddos.conf,主要是APF_BAN=1要设置成0,因为要使用iptables来封某些可疑连接,注意EMAIL_TO=”root”,这样BAN哪个IP会有邮件提示:
##### Paths of the script and other files
PROGDIR=”/usr/local/ddos”
PROG=”/usr/local/ddos/ddos.sh”
IGNORE_IP_LIST=”/usr/local/ddos/ignore.ip.list”  //IP地址白名单
CRON=”/etc/cron.d/ddos.cron”    //定时执行程序
APF=”/etc/apf/apf”
IPT=”/sbin/iptables”
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with –cron
#####          option so that the new frequency takes effect
FREQ=1   //检查时间间隔,默认1分钟
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150     //最大连接数,超过这个数IP就会被屏蔽,一般默认即可
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1        //使用APF还是iptables。推荐使用iptables,将APF_BAN的值改为0即可。
##### KILL=0 (Bad IPs are’nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1   //是否屏蔽IP,默认即可
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO=”root”   //当IP被屏蔽时给指定邮箱发送邮件,推荐使用,换成自己的邮箱即可
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600    //禁用IP时间,默认600秒,可根据情况调整.
 ---------------------------------

相关帖子:https://briteming.blogspot.com/2015/08/ddos-deflate.html
-----------------------------------

Fork of DDoS Deflate with fixes, improvements and new features. 

DDoS Deflate

Fork of DDoS Deflate on now inexistent http://deflate.medialayer.com/ (MediaLayer went out of business) with fixes, improvements and new features.
Original Author: Zaf zaf@vsnl.com (Copyright (C) 2005)
Maintainer: Jefferson González jgmdev@gmail.com
Contributor (BSD support): Marc S. Brooks devel@mbrooks.info

About

(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.
ss -Hntu | awk '{print $6}' | sort | uniq -c | sort -nr
IP addresses with over a pre-configured number of connections are automatically blocked in the server's firewall, which can be direct ipfw, iptables, or Advanced Policy Firewall (APF).

Notable Features

  • IPv6 support.
  • It is possible to whitelist IP addresses, via /etc/ddos/ignore.ip.list.
  • It is possible to whitelist hostnames, via /etc/ddos/ignore.host.list.
  • IP ranges and CIDR syntax is supported on /etc/ddos/ignore.ip.list
  • Simple configuration file: /etc/ddos/ddos.conf
  • IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
  • The script can run as a cron job at chosen frequency via the configuration file (default: 1 minute)
  • The script can run as a daemon at chosen frequency via the configuration file (default: 5 seconds)
  • You can receive email alerts when IP addresses are blocked.
  • Control blocking by connection state (see man ss or man nestat).
  • Auto-detection of firewall.
  • Support for APF, CSF, ipfw, and iptables.
  • Logs events to /var/log/ddos.log
  • Can ban only incoming connections or by specific port rules.
  • Option to reduce transfer speed for IP addresses that reach certain limit using iftop and tc.
  • Uses tcpkill to reduce the amount of processes opened by attackers.
  • Cloudflare support by using tcpdump to get the real user ip and using iptables string matching to drop connections.

Installation

As root user execute the following commands:
wget https://github.com/jgmdev/ddos-deflate/archive/master.zip -O ddos.zip
unzip ddos.zip
cd ddos-deflate-master
./install.sh

Uninstallation

As root user execute the following commands:
cd ddos-deflate-master
./uninstall.sh

Usage

The installer will automatically detect if your system supports init.d scripts, systemd services or cron jobs. If one of them is found it will install apropiate files and start the ddos script. In the case of init.d and systemd the ddos script is started as a daemon, which monitoring interval is set at 5 seconds by default. The daemon is much faster detecting attacks than the cron job since cron's are capped at 1 minute intervals.
Once you hava (D)Dos deflate installed proceed to modify the config files to fit your needs.
/etc/ddos/ignore.host.list
On this file you can add a list of host names to be whitelisted, for example:
googlebot.com
my-dynamic-ip.somehost.com
/etc/ddos/ignore.ip.list
On this file you can add a list of ip addresses to be whitelisted, for example:
12.43.63.13
165.123.34.43-165.123.34.100
192.168.1.0/24
129.134.131.2
/etc/ddos/ddos.conf
The behaviour of the ddos script is modified by this configuration file. For more details see man ddos which has documentation of the different configuration options.
After you modify the config files you will need to restart the daemon. If running on systemd:
systemctl restart ddos
If running as classical init.d script:
/etc/init.d/ddos restart
or
service ddos restart
When running the script as a cronjob no restarting is required.

CLI Usage

ddos [OPTIONS] [N]
N : number of tcp/udp connections (default 150)

OPTIONS

-h | --help:
Show the help screen.
-c | --cron:
Create cron job to run the script regularly (default 1 mins).
-i | --ignore-list:
List whitelisted ip addresses.
-b | --bans-list:
List currently banned ip addresses.
-u | --unban:
Unbans a given ip address.
-d | --start:
Initialize a daemon to monitor connections.
-s | --stop:
Stop the daemon.
-t | --status:
Show status of daemon and pid if currently running.
-v[4|6] | --view [4|6]:
Display active connections to the server.
-y[4|6] | --view-port [4|6]:
Display active connections to the server including the port.
-k | --kill:
Block all ip addresses making more than N connections.

from https://github.com/jgmdev/ddos-deflate
-------------------------------------------------------------------------------

DDOS tool in python.

ddos

DDOS tool in python.
usage:
python attack.py [option]
-h : help

-t : lasting time of ddos

-c : numbers of thread to create
 
from https://github.com/firefoxbug/ddos