Hey guys, my css server recently got attacked by a DDoS, And i was wondering if anyone has a script to protect my server, If anyone has a script that will work for a counter strike sever that would be great.
hello jamesfenwick what is the OS (operating system) are you using, what network equipment are installed before your server etc. Much more informations will be apreciated to solve your problem.
hi if you run linux apache 2.x do this cd /usr/src Code (markup): wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz Code (markup): tar xfz mod_evasive_1.10.1.tar.gz Code (markup): cd mod_evasive Code (markup): Find the location of Apache Extension Tool (apxs) binary and perform the following. type apxs Code (markup): or find / -type f -name apxs -print Code (markup): $[COLOR="Red"]APACHE_ROOT[/COLOR]/bin/apxs -cia mod_evasive20.c Code (markup): Configure mod_evasive for Apache Find a location of httpd.conf, and edit with the following contents. <IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 300 </IfModule> Code (markup):
There isn't really a script that is going to truly protect your server from a DDoS attack. If you have root on the server you can set up some iptables rules but that isnt going to stop the DDoS from coming in on the line. You need to find a provider that has DDoS protection on their network or ask your current provider what type of filtering you can put in place. They should be able to block whatever type of traffic you ask from going to your server. If they dont currently offer DDoS protection then they prob will not be able to do anything about it.
I agree when it comes to dos attacks even if you block then offending ip's its still gonna cause severe usage on a software firewall. most datacenters will usually null the ip until it stops. Are your sure its a ddos attack. It could be just someone packeting your ip intentionally with a script
LOL @ people suggesting mod_evasive. mod_evasive is for apache, not hl2 servers. google hl2 css ddos attack
Here's where you can download a patch for major DOS attacks on CSS game servers. http://adminmarketplace.com/downloads.php?do=cat&id=1 DoS Attack Fixer for TF2 v2 : DAF version 2 for TF2. Includes Linux and Windows binaries. Works with all Orangebox engine games if ... DoS Attack Fixer for CSS v2 : DAF version 2 for Counter-Strike Source. Includes Linux and Windows binaries. Will work with all EP1 ... Otto Bohn AdminMarketplace.com N00bsalad.net
I know this is late, but it can help someone looking for a solution. I see that this is application level attack. Meaning attack on application, and not on network. We can block at the OS level using firewall. We will look at number of established connections(only then it can reach application). Lets find out which IP address is eating up connections, and we can start blocking them. ss -n -4 state established | awk '{print $5}' | egrep -v '(Address:Port|127.0.0.1)' | cut -d':' -f1 Code (markup): Now, lets a count on number of hits per IP. ss -n -4 state established | awk '{print $5}' | egrep -v '(Address:Port|127.0.0.1)' | cut -d':' -f1 | sort -n | uniq -c Code (markup): Now, decide on a threshold level, beyond which we declare as too many hits per IP, and is participating in a DDoS. Let's say we decide, as 20. Lets get those IP, which have more than 20 connections. In this example, we are looking at IPv4. ss -n -4 state established | awk '{print $5}' | egrep -v '(Address:Port|127.0.0.1)' | cut -d':' -f1 | sort -n | uniq -c | awk '$1 > 20 {print $2}' Code (markup): Lets use ipset and iptables to block these IPs. ipset create ddosingips hash:ip iptables -I INPUT -m set --match-set ddosingips src -j DROP Code (markup): Now lets populate, the ipset. ss -n -4 state established | awk '{print $5}' | egrep -v '(Address:Port|127.0.0.1)' | cut -d':' -f1 | sort -n | uniq -c | awk '$1 > 20 {print $2}' | while read ipaddress; do ipset test ddosingips $ipaddress || { ipset add ddosingips $ipaddress ; echo "Blocked $ipaddress"; } ; done Code (markup): You can run the code regularly, by putting it in a script, and running watch. watch -n10 mitigateddosh.sh Code (markup):