Posts Tagged ‘DDos’

10 07 2012


bigCat Posted in Linux - 0 Comment\r\n\r\n\r\n

\r\n#!/bin/bash\r\ncur=`date +%H%M%S`\r\nbecur=`date -d "1 minute ago" +%H%M%S`\r\nbadip=`tail -n 10000 /home/wwwlogs/ | egrep -v "\.(gif|jpg|jpeg|png|css|js)" | awk  -v a="$becur" -v b="$cur" -F [' ':] '{t=$5$6$7;if (t>=a && t<=b) print $1}' | sort | uniq -c | awk '{if ($1>=20) print $2}'`\r\nif [ ! -z "$badip" ];then\r\nfor ip in $badip;\r\ndo\r\nif test -z "`/sbin/iptables -nL | grep $ip`";then\r\n/sbin/iptables -I INPUT -s $ip -j DROP\r\nfi\r\ndone\r\nfi


\r\n#!/bin/bash\r\nkeyword="cc-atack"\r\nbadip=`tail -n 5000  /home/wwwlogs/ | grep "$keyword"  | awk '{print $1}' | sort | uniq -c | sort -nr | awk '{print $2}'`\r\nif [ ! -z "$badip" ];then\r\nfor ip in $badip;\r\ndo\r\nif test -z "`/sbin/iptables -nL | grep $ip`";then\r\n/sbin/iptables -I INPUT -s $ip -j DROP\r\nfi\r\ndone\r\nfi


9 06 2010

DDos - Deflate

bigCat Posted in Linux - 1 Comment\r\n



\r\nMediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:\r\nnetstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n\r\nIt became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting's Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.\r\n

License Agreement

\r\nYou can view a copy of the license agreement here.\r\n


\r\nwget\r\nchmod 0700\r\n./\r\n\r\n


\r\nwget\r\nchmod 0700 uninstall.ddos\r\n./uninstall.ddos\r\n\r\n

Version 0.6 | Change Log


  • whitelisting possible by adding IPs in /usr/local/ddos/ignore.ip.list
  • \r\n

  • it uses this file to avoid banning the ip again (it was handling this differently and was a bit slower too)
  • \r\n


Version 0.6 | Upgrade Procedure

\r\nIt remains the same as last time (uninstall and reinstall the script), and you need to make changes to the conf to suit your preferences (The default values ban an ip with 150 connections (or more) for 600 seconds and run the script every minute)\r\n

Contacting Us

\r\nTo get in touch with us you may simply e-mail\r\n\r\n


Host: (miao) | Word: Press | Code: HTML5