How can we protect from Ddos attacks? Is there a script that can stop Ddos attacks? there are on the net a lot of sites that offer Ddos protection... in fact how they do proceed?
Denial of Service attacks are done at the server lever so there's no PHP script that will save you at all. You would have to use a shell script, but leaving it on all the time could have performance issues. ddos.conf ##### Paths of the script and other files PROGDIR="/usr/local/ddos" PROG="/usr/local/ddos/ddos.sh" IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list" CRON="/etc/cron.d/ddos.cron" APF="/etc/apf/apf" IPT="/sbin/iptables" ##### frequency in minutes for running the script ##### Caution: Every time this setting is changed, run the script with --cron ##### option so that the new frequency takes effect FREQ=1 ##### How many connections define a bad IP? Indicate that below. NO_OF_CONNECTIONS=150 ##### APF_BAN=1 (Make sure your APF version is atleast 0.96) ##### APF_BAN=0 (Uses iptables for banning ips instead of APF) APF_BAN=1 ##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script) ##### KILL=1 (Recommended setting) KILL=1 ##### An email is sent to the following address when an IP is banned. ##### Blank would suppress sending of mails EMAIL_TO="root" ##### Number of seconds the banned ip should remain in blacklist. BAN_PERIOD=600 Code (markup): ignore.ip.list 127.0.0.1 Code (markup): ddos.sh #!/bin/sh ############################################################################## # DDoS-Deflate version 0.6 Author: Zaf <zaf@vsnl.com> # ############################################################################## # This program is distributed under the "Artistic License" Agreement # # # # The LICENSE file is located in the same directory as this program. Please # # read the LICENSE file before you make copies or distribute this program # ############################################################################## load_conf() { CONF="/usr/local/ddos/ddos.conf" if [ -f "$CONF" ] && [ ! "$CONF" == "" ]; then source $CONF else head echo "\$CONF not found." exit 1 fi } head() { echo "DDoS-Deflate version 0.6" echo "Copyright (C) 2005, Zaf <zaf@vsnl.com>" echo } showhelp() { head echo 'Usage: ddos.sh [OPTIONS] [N]' echo 'N : number of tcp/udp connections (default 150)' echo 'OPTIONS:' echo '-h | --help: Show this help screen' echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)' echo '-k | --kill: Block the offending ip making more than N connections' } unbanip() { UNBAN_SCRIPT=`mktemp /tmp/unban.XXXXXXXX` TMP_FILE=`mktemp /tmp/unban.XXXXXXXX` UNBAN_IP_LIST=`mktemp /tmp/unban.XXXXXXXX` echo '#!/bin/sh' > $UNBAN_SCRIPT echo "sleep $BAN_PERIOD" >> $UNBAN_SCRIPT if [ $APF_BAN -eq 1 ]; then while read line; do echo "$APF -u $line" >> $UNBAN_SCRIPT echo $line >> $UNBAN_IP_LIST done < $BANNED_IP_LIST else while read line; do echo "$IPT -D INPUT -s $line -j DROP" >> $UNBAN_SCRIPT echo $line >> $UNBAN_IP_LIST done < $BANNED_IP_LIST fi echo "grep -v --file=$UNBAN_IP_LIST $IGNORE_IP_LIST > $TMP_FILE" >> $UNBAN_SCRIPT echo "mv $TMP_FILE $IGNORE_IP_LIST" >> $UNBAN_SCRIPT echo "rm -f $UNBAN_SCRIPT" >> $UNBAN_SCRIPT echo "rm -f $UNBAN_IP_LIST" >> $UNBAN_SCRIPT echo "rm -f $TMP_FILE" >> $UNBAN_SCRIPT . $UNBAN_SCRIPT & } add_to_cron() { rm -f $CRON sleep 1 service crond restart sleep 1 echo "SHELL=/bin/sh" > $CRON if [ $FREQ -le 2 ]; then echo "0-59/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON else let "START_MINUTE = $RANDOM % ($FREQ - 1)" let "START_MINUTE = $START_MINUTE + 1" let "END_MINUTE = 60 - $FREQ + $START_MINUTE" echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON fi service crond restart } load_conf while [ $1 ]; do case $1 in '-h' | '--help' | '?' ) showhelp exit ;; '--cron' | '-c' ) add_to_cron exit ;; '--kill' | '-k' ) KILL=1 ;; *[0-9]* ) NO_OF_CONNECTIONS=$1 ;; * ) showhelp exit ;; esac shift done TMP_PREFIX='/tmp/ddos' TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX" BANNED_IP_MAIL=`$TMP_FILE` BANNED_IP_LIST=`$TMP_FILE` echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL echo >> $BANNED_IP_MAIL BAD_IP_LIST=`$TMP_FILE` netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST cat $BAD_IP_LIST if [ $KILL -eq 1 ]; then IP_BAN_NOW=0 while read line; do CURR_LINE_CONN=$(echo $line | cut -d" " -f1) CURR_LINE_IP=$(echo $line | cut -d" " -f2) if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then break fi IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST` if [ $IGNORE_BAN -ge 1 ]; then continue fi IP_BAN_NOW=1 echo "$CURR_LINE_IP with $CURR_LINE_CONN connections" >> $BANNED_IP_MAIL echo $CURR_LINE_IP >> $BANNED_IP_LIST echo $CURR_LINE_IP >> $IGNORE_IP_LIST if [ $APF_BAN -eq 1 ]; then $APF -d $CURR_LINE_IP else $IPT -I INPUT -s $CURR_LINE_IP -j DROP fi done < $BAD_IP_LIST if [ $IP_BAN_NOW -eq 1 ]; then dt=`date` if [ $EMAIL_TO != "" ]; then cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt" $EMAIL_TO fi unbanip fi fi rm -f $TMP_PREFIX.* Code (markup): You would have to set the ssh file to chmod 755 allowing it to execute and if you run "/usr/local/ddos/ddos.sh --cron > /dev/null 2>&1" that will cause the script to run every 1 minute via cron job basically what it does, is looks at the number of connections each IP to your server has, if it exceeds the number of connections you specified in the ddos.conf file then it will ban that IP from accessing the site via the iptables. But this of course requires you to have a dedicated server or your own virtual private server as you can't do this on shared hosting. At best this may keep the webserver from crashing completely, also if you run any kind of service thru your server such as a proxy_pass from another webserver you'd need to add those ips to the ignore list or only run the script in the cron when you notice an attack. The best solution is to use a hardware firewall that notices the excessive floods of connections from a specific IP then blocks them. But as I said short of iptables, ACL, shorewall etc, there is no php/html/etc script that will prevent a DDOS attack. If you have access to iptables and you don't expect any business from China or Korea, you can block most of the chinese/korean ip ranges using the rules defined at this site. http://www.okean.com/antispam/iptables/iptables.html That should help cut down on some exploitation attacks or general snooping around.
What you can do on PHP level is to reduce maximum script execution time: set_time_limit(10); Code (markup): Also I recommend to add caching to php script to make it run faster and therefore minimize the possibility to overload the server by http requests. You can use views caching or sql query caching by memcached (www.danga.com/memcached/). Also you can precompile php by eaccelerator (eaccelerator.net)
A DDOS attack doesn't even wait for a script to execute, it attacks right at apache using a SERV request, so anything you do on a script level is moot.
http://articles.techrepublic.com.com/5100-10878_11-5058830.html Note packet flooding and route to nowhere. Basically a DDOS attack normally occurs in such a way that a PHP script would never have a chance to run, thus making any method within PHP moot. SERV is normally the code that shows up when you're listing active connections where its not ESTABLISHED or WAITING.
Isn't ddos really a Distributed denial of service attack? Meaning multiple erroneous connections from multiple ips? So even the script that blocks IP with too many simultaneous connections couldn't do anything if there was tons of IP's doing the attack. Of course it would be a pretty sophisticated attacker who would have enough IP's to do a DDOS attack, in which case the bast defense might be to find out who was doing it and send the feds after him.
"bast" ? Anywho yes However depending on the flood timing you can actually use hardware or iptables to block most of them. As far as sending the feds after them... most of the attacks occur from locations completely outside of the US's jurisdiction.
this is an interesting thread . many of us suffer because of ddos attacks .my load on the server often spikes for no obvious reason ,and the server is down . how can i find out if it's a ddos attack?
1. Your site is too slow to load (intial) or request times out even when server is working fine and u can access it using ssh. 2. Your vmpanel shows network usage to almost full. (if dos attack is http-syn bandwidth choke) How to secure your server from DDOS in Linux box in software way: For UDP Pings nano /etc/sysctl.conf amend 1 at net.ipv4.icmp_echo_ignore_all net.ipv4.icmp_echo_ignore_all = 1 /etc/init.d/network restart Code (markup): Use the above ONLY if u r facing UDP DDOS. Not recommended just for prevention purpose! For prevention wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh ./install.sh Code (markup): Enjoy
Hi, I´ve implemented this solution and the log shows me the following lines ... How can I undertands this ? Any help is appreciated OS squeeze Apache2 Fail2ban Thanks in advance. Victor