Full Protect Against DDos Attack and Flood !

[Anillka]

this thread against ddos attacks also Flood attacks ! for damage your root i will expplain how to protect your root and your server against Ddos Attacks and flood !​

Note :-​

thats For Linux Only ... and some scripts will put to gesior acc !​

all you have to do Use SSH Security Shell for doing those commands inside it !​

here download link or use the official site !
SSH_Secure_Shell.zip
if you use Blind9 try to update it to 9.3.4 cause blind9 have exploit !

ok let's Start !

go to SSH Security Shell and Do those Commands !

1- update your host.conf and sysctl.conf for making it a strong !

cd /etc/ 
mv sysctl.conf sysctl.conf.css

 pico sysctl.conf

then put on sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux 
# 
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and 
# sysctl.conf(5) for more details. 

# Controls IP packet forwarding 
net.ipv4.ip_forward = 0 

# Controls source route verification 
net.ipv4.conf.default.rp_filter = 1 
net.ipv4.conf.all.rp_filter = 1 
net.ipv4.conf.lo.rp_filter = 1 
net.ipv4.conf.eth0.rp_filter = 1 

# Do not accept source routing 
net.ipv4.conf.default.accept_source_route = 0 
net.ipv4.conf.all.accept_source_route = 0 
net.ipv4.conf.lo.accept_source_route = 0 
net.ipv4.conf.eth0.accept_source_route = 0 

# Disable ICMP Redirect Acceptance 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.lo.accept_redirects = 0 
net.ipv4.conf.eth0.accept_redirects = 0 
net.ipv4.conf.default.accept_redirects = 0 

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets 
net.ipv4.conf.all.log_martians = 0 
net.ipv4.conf.lo.log_martians = 0 
net.ipv4.conf.eth0.log_martians = 0 

# Lower retry rates 
net.ipv4.tcp_synack_retries = 2 
net.ipv4.tcp_syn_retries = 3 

# Controls the System Request debugging functionality of the kernel 
kernel.sysrq = 0 

# Max File Handlers 
fs.file-max = 8192 
# Disable CTR+ALT+DEL Restart Keys 
kernel.ctrl-alt-del = 1 

# Controls whether core dumps will append the PID to the core filename. 
# Useful for debugging multi-threaded applications. 
kernel.core_uses_pid = 1 

# Decrease the time default value for tcp_fin_timeout connection 
net.ipv4.tcp_fin_timeout = 15 

# Decrease the time default value for tcp_keepalive_time connection 
net.ipv4.tcp_keepalive_time = 1800 

# Turn off the tcp_window_scaling 
net.ipv4.tcp_window_scaling = 0 

# Turn off the tcp_sack 
net.ipv4.tcp_sack = 0 

# Turn off the tcp_timestamps 
net.ipv4.tcp_timestamps = 0 

# Enable TCP SYN Cookie Protection 
net.ipv4.tcp_syncookies = 1 

# Enable ignoring broadcasts request 
net.ipv4.icmp_echo_ignore_broadcasts = 1 

# Enable bad error message Protection 
net.ipv4.icmp_ignore_bogus_error_responses = 1 

# Log Spoofed Packets, Source Routed Packets, Redirect Packets 
net.ipv4.conf.all.log_martians = 1 

# Increases the size of the socket queue (effectively, q0). 
net.ipv4.tcp_max_syn_backlog = 1024 

# Increase the tcp-time-wait buckets pool size 
net.ipv4.tcp_max_tw_buckets = 1440000 

# Allowed local port range 
net.ipv4.ip_local_port_range = 16384 65536

for who use Centos 5.x

#Kernel sysctl configuration file for Centos 5.x
# http://www.securecentos.com
# See sysctl(8) and sysctl.conf(5) for more details.
kernel.panic = 60
net.ipv4.ip_forward=0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
kernel.sysrq = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.ip_local_port_range = 16384 65536
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1

then this command !

/sbin/sysctl -p

sysctl -w net.ipv4.route.flush=1

cd /etc 
mv host.conf host.conf.css

 pico host.conf

then add to host.conf

# Lookup names via DNS first then fall back to /etc/hosts 
order hosts,bind 
# Check for IP address spoofing. 
nospoof on 
# multiple IP addresses 
multi on

then restart httpd !

httpd restart

2-Active Syncookies.

 echo 1 > /proc/sys/net/ipv4/tcp_syncookies

3-then for who want to use Easy Linux Security Program ! (Better if you use it )
do this command for run the program

 wget --output-document=installer.sh http://servermonkeys.com/projects/els/installer.sh; chmod +x installer.sh; sh installer.sh

4- for who use APF + BFD .. i will put with best tools !
Update Script ELS

els --update

if it's already updated you will got that

ELS 3.0.0.3 is the latest release, there is no need to update.

then the best way for Using APF
for run the program in your server !

els --apf

after you got the program in your server run this !

pico /etc/apf/conf.apf

and be sure you have that codes in your conf.apf

EGF="1"
USE_DS="1"
USE_AD= 1

then go to that !

pico /etc/apf/ad/conf.antidos

and be sure you already have those codes !

LP_KLOG="1"
CONAME="Your Company"
USR_ALERT="1"
USR="[email protected]"

5- thos commands for Firewall ! (Additional information for knowlege!
For run the firewall use !

/usr/local/sbin/apf -s

and for restarting the firewall use !

/usr/local/sbin/apf -r

and for stop the firewall use !

/usr/local/sbin/apf -f

and for knowing the status of firewall !

/usr/local/sbin/apf -st

6- runing the commands into apf for blocking ip's or allow it !
For allowing an ip use that !

 /usr/local/sbin/apf -a 124.11.11.11

Change 124.11.11.11 > for the ip you want

for blocking some one ip use that !

/usr/local/sbin/apf -d 124.11.11.11

Change 124.11.11.11 > for the ip you want

7- after you done all those for apf ! run this commands for firewall working to block or allow the ip !

/etc/apf/ad/antidos -a
/usr/local/sbin/apf -r

8- for who use the program BFD Brute Force Detection (Perfect)
run this command after you put the program in ur server !

els --bfd

and for apply changes and edit !

pico -w /usr/local/bfd/conf.bfd

be sure you have this codes on conf.bdf

ALERT_USR="1"
[email protected]

and change your email adress ! for when some attack happen you will recieve a message with ip !

Commands for that program !
For run it use !

/usr/local/sbin/bfd -s

for allow an ip do that command

 pico -w /etc/bfd/allow_hosts.rules

and put the ip you want int the file allow_hosts.rules
and for blocking an ip run this command

 pico -w /usr/local/bfd/ignore.hosts

and put the ip you want to block in ignore.hosts

9-Against DOS-Deflate !

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

and edit that !

 pico /usr/local/ddos/ddos.conf

 Set NO_OF_CONNECTIONS=150

put the number you want thats for the number of connections !
and be sure from that codes !

APF_BAN=1
[email protected]
thats the number of blocking the ip for which seconds !
BAN_PERIOD=600

for know who is connect to your server !

cd /usr/local/ddos/;./ddos.sh
sh /usr/local/ddos/ddos.sh

for blocking an ip do !

 pico /usr/local/ddos/ignore.ip.list

and put the ip in ignore.ip.list

for run the program after editing do that command !

/usr/local/ddos/ddos.sh -c
iptables -F

for unstall the program do that command !

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

FINAL :-
for know who already attack ur site and who online !
do that command !

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
or
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

EXAMPLE OF IPS :-

   1 195.229.235.36
      1 195.229.235.39
      1 195.229.236.214
      1 195.229.237.39
      1 195.229.242.53
      1 195.229.242.55
      1 195.229.242.56
      1 196.12.217.252
      1 196.20.126.97
      1 41.200.213.119
      1 86.60.97.145
      1 89.108.0.85
      2 195.229.235.41
      2 41.201.175.161
      2 41.248.162.42
      2 77.30.118.133
      2 94.97.78.197
      3 84.11.138.148
    400 85.11.152.165

Thats mean this ip 85.11.152.165 attack you with ddos !
so block it in the words i saying in every program for commands !
when some one try to attack you you will got message in your email you put :-
IP addresses banned on Wed Mar 13 17:10:07 AST 2010

I ADVICE FOR WHO USE VPS DONT USE CSF ! cause it want much ram and much speed !

in index.php add this ! for your website !

$ad_ddos_query=10; //  the number of requests for knowing the ddos attack
$ad_check_file='check.txt'; // file for writing at the time of the current state monitoring
$ad_temp_file='all_ip.txt'; // 
$ad_black_file='black_ip.txt'; // will be entered ip zombie machines
$ad_white_file='white_ip.txt'; // Visitors entered ip
$ad_dir='anti_ddos'; // 
$ad_num_query=0; // current number of queries per second from the file $check_file
$ad_sec_query=0; // Seconds from the file $check_file
$ad_end_defense=0; // Time ending protection from file $check_file
$ad_sec=date("s"); // current second
$ad_date=date("mdHis"); // current time
$ad_defense_time=10000; // Upon discovery of ddos attack, in seconds which stops monitoring?  



if(!file_exists("{$ad_dir}/{$ad_check_file}") or !file_exists("{$ad_dir}/{$ad_temp_file}") or !file_exists("{$ad_dir}/{$ad_black_file}") or !file_exists("{$ad_dir}/{$ad_white_file}") or !file_exists("{$ad_dir}/anti_ddos.php")){
  die("Not enough File.");
}

require("{$ad_dir}/{$ad_check_file}");

if ($ad_end_defense and $ad_end_defense>$ad_date){
  require("{$ad_dir}/anti_ddos.php");
} else {
  if($ad_sec==$ad_sec_query){
    $ad_num_query++;
    } else {
      $ad_num_query='1';
    }
    
    if ($ad_num_query>=$ad_ddos_query){
      $ad_file=fopen("{$ad_dir}/{$ad_check_file}","w");
      $ad_end_defense=$ad_date+$ad_defense_time;
      $ad_string='<?php $ad_end_defense='.$ad_end_defense.'; ?>';  
      fputs($ad_file,$ad_string);
      fclose($ad_fp);
    } else {
      $ad_file=fopen("{$ad_dir}/{$ad_check_file}","w");
      $ad_string='<?php $ad_num_query='.$ad_num_query.'; $ad_sec_query='.$ad_sec.'; ?>';  
      fputs($ad_file,$ad_string);
      fclose($ad_fp);
    } 
}
?>

and do another file !
anti_ddos.php

   <?php
function getIP() {
    if(getenv("HTTP_X_FORWARDED_FOR") and preg_match("/^[0-9\.]*?[0-9\.]+$/is",getenv("HTTP_X_FORWARDED_FOR")) and getenv("HTTP_X_FORWARDED_FOR")!='127.0.0.1') { 
        $ip = getenv("HTTP_X_FORWARDED_FOR"); 
    } else { 
        $ip = getenv("REMOTE_ADDR"); 
    } 
    return $ip;
}
$ad_ip=getIP();

$ad_source=file("{$ad_dir}/{$ad_black_file}");
$ad_source=explode(' ',$ad_source[0]);
if (in_array($ad_ip,$ad_source)){die();}

$ad_source=file("{$ad_dir}/{$ad_white_file}");
$ad_source=explode(' ',$ad_source[0]);
if (!in_array($ad_ip,$ad_source)){
  
  $ad_source=file("{$ad_dir}/{$ad_temp_file}");
  $ad_source=explode(' ',$ad_source[0]);
  if (!in_array($ad_ip,$ad_source)){
    $ad_file=fopen("{$ad_dir}/{$ad_temp_file}","a+");
    $ad_string=$ad_ip.' ';
    fputs($ad_file,"$ad_string");
    fclose($ad_fp);
    ?>
    
    الموقع حاليا يتعرض DDOS attack if you are not machine-zombie attacker's site, click on the button, otherwise you IP (<?=$ad_ip?>) will be blocked!!!
    <form method="post">
    <input type="submit" name="ad_white_ip" value="Кнопка">
    </form>
    
    <?php
    die();
    }
    elseif ($_POST['ad_white_ip']){
      $ad_file=fopen("{$ad_dir}/{$ad_white_file}","a+");
      $ad_string=$ad_ip.' ';
      fputs($ad_file,"$ad_string");
      fclose($ad_fp);
    }
    else {
      $ad_file=fopen("{$ad_dir}/{$ad_black_file}","a+");
      $ad_string=$ad_ip.' ';
      fputs($ad_file,"$ad_string");
      fclose($ad_fp);
      die();
    }
}
?>

add ips you want to check or block or allow !
white_ip.txt
check.txt
black_ip.txt
all_ip.txt
do those files in your htdocs
do this command for corrupting the files

require("anti_ddos/index.php");

also check that thread will help !
http://otland.net/f258/anti-ddos-apache-44075/​

Thanks if i helped give me rep !

 

[Meko]

thanks i will try that !

 

[Rizzla]

rofl

 

[stian]

To be noted. It still won't fix the problem flooding up the entier bandwidth.

 

[Anillka]

but i use it and it work stain ! it's perfectly so i share it here !

 

[Diazapam]

If you have a dedi with 100mbit up/down and I've got the ability to flood with 110mbit your down way to easy..
As said, real protection should be in the backbone of your network since they have the ability to withstand many Gbits bandwidth.

 

[Anillka]

If you have a dedi with 100mbit up/down and I've got the ability to flood with 110mbit your down way to easy..
As said, real protection should be in the backbone of your network since they have the ability to withstand many Gbits bandwidth.

you right but i always use 100Mbit and use that way and am protected against that !and not got any flood attacks maybe am lucky for not got that but really that way helped me much and i find more ip's attack me ! maybe they not expirened but they try and fail