• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Linux Basic DDos Protection Linux & Win

narko

vertrauenswürdig ~
Joined
Oct 19, 2008
Messages
1,317
Solutions
2
Reaction score
131
Location
Unknown
DDoS protection is a big part of a sysadmins job these days, especially on big forums/hosts.
Obviously, the best plan would be to buy another server, set up a CISCO firewall on it and reroute all traffic to main server. Unfortunately, this would require funds for another dedicated server.

So, the only solution that would work right now is using the box itself as a firewall,this tutorial is for cpanel.

First things first, we make sure that everything is up to date.
Code:
apt-get update
ape-get upgrade
apt-get install libwww-perl
Ok, time to install a decent firewall. Because this server is running cPanel, we may as well use a firewall that integrates into cPanel. This is just to allow for easy configuration, CSF is great so we shall be installing that.
Code:
wget http://www.configserver.com/free/csf.tgz
tar -xzvf csf.tgz
cd csf
sh install.sh
Go to /etc/csf/csf.conf and put next
Code:
http://pastebin.com/eGnbi6SY
Next, we need some extra firewall rules to filter the common packets found in DDoS attacks. We will also limit the number of connections allowed to the server.
Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
iptables -A INPUT -p tcp --syn --dport 80 -d ! 127.0.0.1 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

iptables -N syn-flood
iptables -A syn-flood -m limit --limit 1/second --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

iptables -N udp-flood
iptables -A udp-flood -m limit --limit 4/second --limit-burst 4 -j RETURN
iptables -A udp-flood -j DROP

iptables -A INPUT -i eth0 -p tcp --tcp-flags  SYN,RST,ACK,FIN SYN,ACK -j syn-flood # SYN flood
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i eth0 -p udp -j udp-flood
iptables -A INPUT -i eth0 -f -j DROP
sudo bash -c "iptables-save > /etc/iptables.rules"
next, we will install some connection based IP banning. There is some software called ddos_deflate that we are going to use.
Download ddos_deflate.
Code:
wget http://www.inetbase.com/scripts/ddos/install.sh
sh install.sh
crtl+z
Great, that's installed. Now we need to change some settings.
Code:
nano /usr/local/ddos/ddos.conf

* NO_OF_CONNECTIONS=100
    * BAN_PERIOD=12000
    * APF_BAN=0
Save the file and exit. Next we need to modify ddos_deflate to work with CSF.(crtl+x press Y )
Code:
nano /usr/local/ddos/ddos.sh
 Look Goto line 138 and replase this
$IPT -I INPUT -s $CURR_LINE_IP -j DROP
for
csf -d $CURR_LINE_IP
and execute this
cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
I have also a mod of ddos_deflate to work with SYN packets. There was once a program called syn_deflate that was exactly this, however the script was stopped being made avaliable and was lost forever!
Code:
mkdir /usr/local/synd
nano /usr/local/synd/synd.conf
The contents of synd.conf:
Code:
##### Paths of the script and other files
PROGDIR="/usr/local/synd"
PROG="/usr/local/synd/synd.sh"
IGNORE_IP_LIST="/usr/local/synd/ignore.ip.list"
CRON="/etc/cron.d/synd.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
#####          option so that the new frequency takes effect
FREQ=1

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=10

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=0

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="[email protected]"

##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=12000
And next
Code:
nano /usr/local/synd/ignore.ip.list
and write
127.0.0.1
yourip
next
Code:
nano /usr/local/synd/synd.sh
contenent
Code:
#!/bin/sh
load_conf()
{
    CONF="/usr/local/synd/synd.conf"
    if [ -f "$CONF" ] && [ ! "$CONF" ==    "" ]; then
        source $CONF
    else
        head
        echo "\$CONF not found."
        exit 1
    fi
}

head()
{
    echo "Syn-Deflate"
    echo "Based on DoS-Deflate"
    echo
}

showhelp()
{
    head
    echo 'Usage: synd.sh [OPTIONS] [N]'
    echo 'N : number of SYN_RECV connections (default 10)'
    echo 'OPTIONS:'
    echo '-h | --help: Show    this help screen'
    echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
    echo '-k | --kill: Block the offending ip making more than N SYN_RECV connections'
}

unbanip()
Next
Code:
chmod 0755 /usr/local/synd/synd.sh
cp -s /usr/local/synd/synd.sh /usr/local/sbin/synd
/usr/local/synd/synd.sh --cron > /dev/null 2>&1
And Done Your are protecter from beginer attackers!

For Windows look This
Windows DDoS Protection: Optimising the TCP/IP stack
Open notepad, save the following as run.cmd
Press Y to run the tweek, then Q at the menu to disable QOS.
Code:
CLS 
@[USER=33485]Echo[/USER] OFF 
ECHO  ------------------------------------------ 
ECHO  Type "y" to optimize Vista TCP/IP settings 
ECHO  Type "q" to disable QoS reserved bandwidth 
ECHO  Type "d" to revert to Vista default values 
ECHO  Type "n" to cancell patch and exit 
ECHO  ------------------------------------------ 
:LOOP 
SET /P choice1= Type y,n,q, or d, and press ENTER:    
IF /I "%choice1%"=="Y" GOTO TWEAK 
IF /I "%choice1%"=="Q" GOTO QOS 
IF /I "%choice1%"=="D" GOTO DEFAULT 
IF /I "%choice1%"=="N" GOTO CANCEL 
:: ELSE 
GOTO LOOP 
 
:TWEAK 
@[USER=33485]Echo[/USER] ON 
netsh int tcp set global rss=enabled 
netsh int tcp set global chimney=enabled 
netsh int tcp set global autotuninglevel=normal 
netsh int tcp set global congestionprovider=ctcp 
netsh int tcp set global ecncapability=disabled 
netsh int tcp set global timestamps=disabled 
@[USER=33485]Echo[/USER] OFF 
cd %temp% 
ECHO > SG_Vista_TcpIp_Patch.reg Windows Registry Editor Version 5.00   
ECHO >> SG_Vista_TcpIp_Patch.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]  
ECHO >> SG_Vista_TcpIp_Patch.reg "DefaultTTL"=dword:00000040 
ECHO >> SG_Vista_TcpIp_Patch.reg "EnableTCPA"=dword:00000001 
ECHO >> SG_Vista_TcpIp_Patch.reg "Tcp1323Opts"=dword:00000001 
ECHO >> SG_Vista_TcpIp_Patch.reg "TCPMaxDataRetransmissions"=dword:00000007 
ECHO >> SG_Vista_TcpIp_Patch.reg "TCPTimedWaitDelay"=dword:0000001e 
ECHO >> SG_Vista_TcpIp_Patch.reg "SynAttackProtect"=dword:00000001 
ECHO >> SG_Vista_TcpIp_Patch.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider] 
ECHO >> SG_Vista_TcpIp_Patch.reg "LocalPriority"=dword:00000004 
ECHO >> SG_Vista_TcpIp_Patch.reg "HostsPriority"=dword:00000005 
ECHO >> SG_Vista_TcpIp_Patch.reg "DnsPriority"=dword:00000006 
ECHO >> SG_Vista_TcpIp_Patch.reg "NetbtPriority"=dword:00000007 
regedit /s SG_Vista_TcpIp_Patch.reg 
del SG_Vista_TcpIp_Patch.reg 
CLS 
ECHO  * PATCH SUCCESFULLY APPLIED - PRESS ANY KEY TO EXIT * 
GOTO SUCCESS 
 
:QOS 
@[USER=33485]Echo[/USER] OFF 
cd %temp% 
ECHO > SG_Vista_TcpIp_Patch.reg Windows Registry Editor Version 5.00   
ECHO >> SG_Vista_TcpIp_Patch.reg [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Psched]  
ECHO >> SG_Vista_TcpIp_Patch.reg "NonBestEffortLimit"=dword:00000000 
regedit /s SG_Vista_TcpIp_Patch.reg 
del SG_Vista_TcpIp_Patch.reg 
CLS 
ECHO  * QOS PATCH SUCCESFULLY APPLIED - PRESS ANY KEY TO EXIT * 
ECHO. 
ECHO  * Visit SpeedGuide.net for more broadband info and tweaks * 
ECHO. 
@[USER=56646]Pause[/USER] 
EXIT 
 
:DEFAULT 
@[USER=33485]Echo[/USER] ON 
netsh int tcp set global rss=default 
netsh int tcp set global chimney=default 
netsh int tcp set global autotuninglevel=normal 
netsh int tcp set global congestionprovider=default 
netsh int tcp set global ecncapability=default 
netsh int tcp set global timestamps=default 
@[USER=33485]Echo[/USER] OFF 
cd %temp% 
ECHO > SG_Vista_TcpIp_Default.reg Windows Registry Editor Version 5.00   
ECHO >> SG_Vista_TcpIp_Default.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]  
ECHO >> SG_Vista_TcpIp_Default.reg "DefaultTTL"=- 
ECHO >> SG_Vista_TcpIp_Default.reg "EnableTCPA"=- 
ECHO >> SG_Vista_TcpIp_Default.reg "Tcp1323Opts"=dword:00000000 
ECHO >> SG_Vista_TcpIp_Default.reg "TCPMaxDataRetransmissions"=dword:000000ff 
ECHO >> SG_Vista_TcpIp_Default.reg "TCPTimedWaitDelay"=dword:ffffffff 
ECHO >> SG_Vista_TcpIp_Default.reg "SynAttackProtect"=- 
ECHO >> SG_Vista_TcpIp_Default.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider] 
ECHO >> SG_Vista_TcpIp_Default.reg "LocalPriority"=dword:000001f3 
ECHO >> SG_Vista_TcpIp_Default.reg "HostsPriority"=dword:000001f4 
ECHO >> SG_Vista_TcpIp_Default.reg "DnsPriority"=dword:000007d0 
ECHO >> SG_Vista_TcpIp_Default.reg "NetbtPriority"=dword:000007d1 
ECHO >> SG_Vista_TcpIp_Default.reg [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Psched]  
ECHO >> SG_Vista_TcpIp_Default.reg "NonBestEffortLimit"=- 
regedit /s SG_Vista_TcpIp_Default.reg 
del SG_Vista_TcpIp_Default.reg 
CLS 
ECHO  * VISTA DEFAULT VALUES SUCCESFULLY APPLIED - PRESS ANY KEY TO EXIT * 
GOTO SUCCESS 
 
:SUCCESS 
netsh int tcp show global 
@[USER=56646]Pause[/USER] 
EXIT 
  
:CANCEL 
CLS  
ECHO   * PATCH CANCELLED BY USER - PRESS ANY KEY TO EXIT * 
@[USER=56646]Pause[/USER] 
EXIT

All information is here Linux DDoS Protection - WJunction - Webmaster Forum i modified some bits ;D
Aditional information

Null rute ips How to (LINUX)
Code:
Nullroute IP using route command
Suppose that bad IP is 65.21.34.4, type following command at shell:

 route add 65.21.34.4 gw 127.0.0.1 lo

You can verify it with following command:

 netstat -nr

OR

 route -n

You can also use reject target:

 route add -host IP-ADDRESS reject
 route add -host 64.1.2.3 reject

To confirm the null routing status, use ip command as follows:

 ip route get 64.1.2.3

Output:

RTNETLINK answers: Network is unreachable

Drop entire subnet 192.67.16.0/24:

 route add -net 192.67.16.0/24 gw 127.0.0.1 lo

You can also use ip command to null route network or ip, enter:
 ip route add blackhole 202.54.5.2/29

 route -n

How do I remove null routing? How do I remove blocked IP address?

Simple use router delete command,

 route delete 65.21.34.4
information here How do I Drop or block attackers IP with null routes?
 
225 views, no comments, no rep?

Do not ask for comments or rep just because you post this?
Alot of basic/simple DDOs Protection are avaible on the forum.
Your not the first one :) Still no idea to "beg" or "ask" for rep ^^
 
Do not ask for comments or rep just because you post this?
Alot of basic/simple DDOs Protection are avaible on the forum.
Your not the first one :) Still no idea to "beg" or "ask" for rep ^^

It didn't sound like he was 'begging' for rep. Nor did he 'ask' for rep.
He simply said "225 views, no comments, no rep?"
 
Found this exact same tutorial on two other forums but you edited the /etc/csf/csf.conf.
Gotta thank you for that.

Rep+
 
As I said this is just a basic protection against home pc nukers.
 
How much % works this and how much % can block doss attacks?
 
There's not an exactly percent of protection, but if you follow this tutorial you can make sure that anyone would DDoS with a home connection. As it's just a basic protection you are still vulnerable to heavy DDoS attacks.
 
It probably doesn't work at all. Those methods might work on an edge router but not on a target host with a limited network capacity.
 
Back
Top