I have been using DDoS Deflate, which is a simple script that will automatically help you against DoS attacks on your server. Basically it works by killing any HTTPD processes/banning IPs that reach more than set number of TCP connections.
It’s a great script since it’s free, simple, and works well against DoS attacks. Yes, forget paying that extra hundred dollars to your server company, who’s going to probably install this script anyways.
The real gem of the DDoS Deflate script lies in configuration. Depending on how you configure the DDoS script, you can protect yourself in number of different ways.
To install, simply follow these directions on your SSH command prompt in the linux server:
wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh ./install.sh
After installing, go to the directory /usr/local/ddos, where the configuration files are.
If you open up ddos.conf file using your favorite editor, you can edit the following settings for getting the most out of the script:
This is the number of connections before your server kills/bans that IP address for a set amount of time. I think 150 works well but if you are suddenly getting attacked from smart hackers with many, many IPs, you could probably adjust this to a very low number.
You can adjust the BAN_PERIOD setting to set amount of time to ban that IP since you don’t want to ban the IP permanently, there could be other innocent visitors sharing the same IP.
You can first use the default settings in the beginning and play around a bit.
The script will also e-mail you under the default domain name firstname.lastname@example.org whenever an IP reaches beyond the maximum number of allowed connections. Make sure you set the e-mail correctly so you receive those alerts if you want them by editing the EMAIL_TO variable in the ddos.conf.
Using More than 1 server?
For example, you can also “whitelist” IP addresses that might be connected to your server such as your MySQL server by editing the file ignore.ip.list file under the same directory. By the way, I’ve accidently forgot to whitelist my MySQL server before and my website started showing “Database Connection Error”, don’t let that happen to you.
Well, that’s about it, this script is pretty good against DoS flooding so you don’t have to be manually messing with your iptables or whatnot. I install this script on everyone of my VPS/dedicated servers and you should too just in case some hacker decided to flood you with garbage.
How well does this script scale for DoS Attacks? For something llike 20,000-30,000 IPs attacking you, can the script keep up?
Exactly, you can do it by changing the parameters.
The scripts sucks. First it doenst only ban web server connections, but ALL connections. That means if someone is uploading data via his FTP he already creates easily 400 conections of file transfers and BAM he is banned.
It also sometimes ban local IP, yes the own IP of the webserver.
Its not a real protection, you better put it directly on the server side.
I think banning all connections is actually a good thing. For example, for my web server, I don’t ever use FTP anyways, it’s unsecure and slower than SCP, you can read about that here: http://zedomax.com/blog/2010/02/18/linux-hack-sshscp-howtos-for-more-securefaster-linux/
As for banning local IP, the script already unbans any local IPs. If you configure the settings, you can also whitelist specific IP addresses.
Just trying to clear the facts here. Thanks for the comments.
DDOS Deflate monitors connections made to the **HTTP** (httpd) server. Why would it interfere with **FTP**, or any other service?