I have write an article to prevent DDoS attack with mod_evasive in previous post. But with just mod_evasive is not enough. Because DDoS technique maybe vary in technique. DDoS (Distributed Denial of Service) basic is send or flood the the server with request. This will make the server busy and if it is overload it will down (service down). So basically it will send or flood request to your server from one or more ip.
You can check or count how many IP addresses connected to your server with netstat. Here is the command to check IP Addresses that connected to your server:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nIt will show something like this:
5 200.40.138.18
5 80.72.93.190
6 85.224.109.243
7 151.71.229.240
9 88.26.112.30
12 93.196.4.253
18 125.166.209.235
28 212.117.8.117
49 24.4.107.73
52 205.134.249.144
So if you have like more than 100 request connected from 1 IP address, it is unusual. You can block that IP with Iptables config. It’s not hard to do, but it will waste your time to look into your netstat everyday to look and ban some IP addresses. You can use (D)Dos Deflate to do that.
(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. With (D)DoS Deflate you can configure how long will the IP address will be blocked and how many connection considered as DDoS.
How to install it:
- Open your terminal and login as root
- Download (D)DoS Deflate:
wget http://www.inetbase.com/scripts/ddos/install.sh
- Give execute permission to the script:
chmod 0700 install.sh
- Install it:
./install.sh
To add your ip address as whitelist, edit this file:
vim /usr/local/ddos/ignore.ip.list
Configure (D)DoS Deflate:
vim /usr/local/ddos/ddos.conf
More details visit (D)DoS Deflate website.
