History

MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting's Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.

License Agreement

You can view a copy of the license agreement here.

Installation

wget http://ddosd.sins-realm.com/install.sh
chmod 0700 install.sh
./install.sh

Uninstalling

wget http://ddosd.sins-realm.com/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

Version 0.6 | Change Log

• whitelisting possible by adding IPs in /usr/local/ddos/ignore.ip.list
• it uses this file to avoid banning the ip again (it was handling this differently and was a bit slower too)

Version 0.6 | Upgrade Procedure

It remains the same as last time (uninstall and reinstall the script), and you need to make changes to the conf to suit your preferences (The default values ban an ip with 150 connections (or more) for 600 seconds and run the script every minute)