Posted by: Mangesh_Linux_Administrator | March 2, 2011

Dos deflate installation


(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

IP addresses with over a pre-configured number of connections are automatically blocked in the server’s firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)

Notable Features

  • It is possible to whitelist IP addresses, via /usr/local/ddos/ignore.ip.list.
  • Simple configuration file: /usr/local/ddos/ddos.conf
  • IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
  • The script can run at a chosen frequency via the configuration file (default: 1 minute)
  • You can receive email alerts when IP addresses are blocked.

Installation

# wget http://www.inetbase.com/scripts/ddos/install.sh

# chmod 0700 install.sh

# ./install.sh

The configuration file for (D)DOS-Deflate is /usr/local/ddos/ddos.conf , and by default it should have the following values, if not, change them:

FREQ=1

NO_OF_CONNECTIONS=50

APF_BAN=0 ( 0 if using iptables instead of APF )
KILL=1
EMAIL_TO=”Hidden emailaddress
BAN_PERIOD=600

Users can change any of these settings to suit the different need or usage pattern of different servers. It’s also possible to whitelist and permanently unblock (never ban) IP addresses by listing them in /usr/local/ddos/ignore.ip.list file. If you plan to execute and run the script interactively, users can set KILL=0 so that any bad IPs detected are not banned.

Uninstallation

# wget http://www.inetbase.com/scripts/ddos/uninstall.ddos

# chmod 0700 uninstall.ddos

# ./uninstall.ddos

===============================================================

BUG WITH DDOS DEFAFLATE SCRIPT

We’ve noticed recently that many of us are suffering with a repeat problem with the implementation of DoS-Deflate (the anti-(D)Dos script from medialayer.com – http://deflate.medialayer.com/). The problem is that on many occasions it blocks numbers instead of the IP addresses with too many connections. And there not sending blocked IP details in the alert message.

This is down to the netstat command that they are using, it does not account for the ways that more up to date systems report output from the netstat command (particularly when the string ‘::ffff:’ that is added to http port 80 connections). This results in numbers being written to the IPTables instead of the IP addresses which have over the max connections set.

You will notice it when you start receiving emails saying things like …..

Quote:Banned the following ip addresses on Tue Aug 5 01:32:01 BST 20081120 with 1120 connections
We’ve put together a fix for this which requires that you replace the netstat command in the ddos.sh file (located in /usr/local/ddos directory if you installed in the default fashion).

In the original script line 117 reads…

Code:

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

this should be rewritten to read as follows…

Code:

netstat -ntu | grep ‘:’ | awk ‘{print $5}’ | sed ‘s/::ffff://’ | cut -f1 -d ‘:’ | sort | uniq -c | sort -nr > $BAD_IP_LIST
IMPORTANT: this command should be written on a single line, you should also check each character as selecting and copying can sometimes lead to different characters being pasted (i.e. single quotes might not paste as single quotes!!!!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: