防止ddos攻击软件 DDoS-Deflate 的安装和使用
DDoS-Deflate通过查看单个ip的连接数来判断这次连接是否是ddos攻击的一部分,被确定为是ddos攻击时,会调用iptables对该ip进行阻拦一段时间,以缓解攻击。<br><br>DDoS-Deflate 的配置很简单明了。<br><br><b>(一)安装DDoS-Deflate</b><br><br><b>(1)</b>下载安装脚本<br><br><div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li><span style="color:#000000;">wget <span style="color:#0000FF;">http</span><span style="color:#0000CC;">:</span><span style="color:#0000CC;">/</span><span style="color:#0000CC;">/</span>www<span style="color:#0000CC;">.</span>inetbase<span style="color:#0000CC;">.</span>com<span style="color:#0000CC;">/</span>scripts<span style="color:#0000CC;">/</span>ddos<span style="color:#0000CC;">/</span>install<span style="color:#0000CC;">.</span>sh</span></li></ol></div><br><b>(2)</b>安装 DDoS-Deflate<br><br><div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li><span style="color: rgb(0, 0, 0);"><span style="color:#0000CC;">.</span><span style="color:#0000CC;">/</span><font color="#0000F0">install<span style="color:#0000CC;">.</span>sh</font></span></li></ol>.....下面是安装过程,很快....<br>Installing DOS-Deflate 0.6<br><br><br>Downloading source files.........done<br><br>Creating cron to run script every minute.....(Default setting)<br><br>....<font color="#000080">下面是发布协议</font>....<br>....<br><br><font color="#000080">这样 DDoS-Deflate,就安装好了</font><br><br></div><b>(</b><b>二)配置和使用</b><br><br><b>(1)</b>了解 DDoS-Deflate 软件的文件分布<br><br>DDoS-Deflate 安装好之后,默认全部在 /usr/local/ddos/ 目录下<br><br><div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li># <font color="#800080">pwd</font><br>/usr/local/ddos<br><span style="color:#000000;"></span></li><li># <font color="#800000">ls</font><br>ddos.conf <font color="#0000F0">ddos.sh</font> ignore.ip.list LICENSE</li></ol><br>文件说明:<br>ddos.conf -- DDoS-Deflate 的配置文件,其中配置防止ddos时的各种行为<br>ddos.sh -- DDoS-Deflate 的主程序,使用shell编写的,整个程序的功能模块<br>ignore.ip.list -- 白名单,该文件中的ip超过设定的连接数时,也不被 DDoS-Deflate 阻止<br>LICENSE -- DDoS-Deflate 程序的发布协议<br><br></div><br><b>(2)</b>配置 ddos.conf<br><br><div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li><span style="color:#000000;"><font color="#0000F0">##### Paths of the <span style="color:#0000FF;">script</span> and other <span style="color:#0000FF;">files <font color="#00F000">#配置文件也是个shell脚本</font></span></font><br></span></li><li>PROGDIR=<span style="color:#FF00FF;">"/usr/local/ddos"</span><br></li><li>
PROG=<span style="color:#FF00FF;">"/usr/local/ddos/ddos.sh"</span><br></li><li>
IGNORE_IP_LIST=<span style="color:#FF00FF;">"/usr/local/ddos/ignore.ip.list"</span> <font color="#00F000">#存放白名单的文件</font><br></li><li>
CRON=<span style="color:#FF00FF;">"/etc/cron.d/ddos.cron"</span> <font color="#00F000">#计划任务,默认是每分钟执行一次ddos.sh</font></li><li>
APF=<span style="color:#FF00FF;">"/etc/apf/apf"</span><br></li><li>
IPT=<span style="color:#FF00FF;">"/sbin/iptables"</span><br></li><li>
<br></li><li>
<font color="#0000F0">##### frequency in minutes for running the <span style="color:#0000FF;">script</span><br></font></li><li><font color="#0000F0">
##### Caution<span style="color:#0000CC;">:</span> Every time this setting is changed<span style="color:#0000CC;">,</span> run the <span style="color:#0000FF;">script</span> with --cron<br></font></li><li><font color="#0000F0">
##### option so that the new frequency takes effect</font><br></li><li>
FREQ=1 <font color="#00F000">#DDoS-Deflate通过linux的计划任务执行,默认为每分钟一次</font></li><li><font color="#0000F0">d IP? Indicate that below.</font><br></li><li>
NO_OF_CONNECTIONS=150 <font color="#00F000">#定义单个IP达到多少连接时规定为这是一次ddos攻击</font><br></li><li>
<br></li><li>
<font color="#0000F0">##### How many connections define a ba</font></li><li>
<br></li><li>
<font color="#0000F0">##### APF_BAN=1 (Make sure your APF version is atleast 0.96)<br></font></li><li><font color="#0000F0">
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)</font><br></li><li>
APF_BAN=0 <font color="#00F000">#这里为 “0”,表示使用iptables,而不是APF</font><br></li><li>
<br></li><li>
<font color="#0000F0">##### KILL=0 (Bad IPs are'nt banned<span style="color:#0000CC;">,</span> good for interactive execution of <span style="color:#0000FF;">script</span><span style="color:#0000FF;">)</span><br></font></li><li><font color="#0000F0">
##### KILL=1 (Recommended setting)</font><br></li><li>
KILL=1 <font color="#00F000">#是否阻止被定义为ddos攻击的ip,“1”为阻止</font><br></li><li>
<br></li><li>
<font color="#0000F0">##### An <span style="color:#FF0000;">email</span> is sent to the following address when an IP is banned.<br></font></li><li><font color="#0000F0">
##### Blank would suppress sending of mails</font><br></li><li>
EMAIL_TO=<span style="color:#FF00FF;">"xyzblood@163.com"</span> <font color="#00F000">#事件通知人的邮件地址</font><br></li><li>
<br></li><li>
<font color="#0000F0">##### Number of seconds the banned ip should remain in blacklist.</font><br></li><li>
BAN_PERIOD=600 <font color="#00F000">#阻止被定义为ddos攻击者ip与本机通信时间,默认为600秒</font><br></li></ol></div><br><b>(3)</b>使用ddos.sh<br><br><div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li><font color="#800000">使用“-h”选项显示该命令的提供的选项和功能简介</font></li><li><font color="#800000">因为安装的时候默认就执行了: ./ddos --cron 了,所以我们什么也不需要做了</font><br></li><li># ./<font color="#0000F0">ddos.sh</font> -h<br>DDoS-Deflate version 0.6<br>Copyright (C) 2005, Zaf <zaf@vsnl.com><br><br>Usage: ddos.sh <br>N : number of tcp/udp connections (default 150)<br>OPTIONS:<br><font color="#0000F0">-h</font> | --help: Show this help screen<br><font color="#0000F0">-c</font> | --cron: Create cron job to run this script regularly (default 1 mins)<br><font color="#0000F0">-k</font> | --kill: Block the offending ip making more than N connections<br></li></ol></div><b>(4)</b>测试防ddos攻击效果<br><br><div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li>NO_OF_CONNECTIONS=3 <font color="#00F000">#这里为了方便测试,设置为3。生产环境下,几十到几百都可以理解为正常,上千肯定就是不正常了,除非是应用内部各个服务器之间的通信</font></li></ol></div>通过一台固定ip的机器ssh连接该服务器,当连接到超过3甚至更多时,不会立刻显示连不上,因为ddos.sh默认一分钟运行一次,当过不到一分钟时,会发现连接掉了,查看部署了防ddos软件的服务器上可以看到iptables的策略中多了:<br><br><div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li><font color="#F00000"><span style="color:#000000;">DROP all--31<span style="color:#0000CC;">.</span>210<span style="color:#0000CC;">.</span>16<span style="color:#0000CC;">.</span>29<span style="color:#0000CC;">.</span>broad<span style="color:#0000CC;">.</span>cs<span style="color:#0000CC;">.</span>gd<span style="color:#0000CC;">.</span>dynamic<span style="color:#0000CC;">.</span>163data<span style="color:#0000CC;">.</span>com<span style="color:#0000CC;">.</span>cnanywhere</span></font></li></ol></div>说明确实生效了,当10分钟后,iptables上这条策略会被取消的<br><br><b>(5)</b>关于如何查看单个IP的连接数目可以通过如下命令查看,依次排列:<br><br><div id="codeText" class="codeText"><ol style="margin:0 1px 0 0;padding:5px 0;" start="1" class="dp-css"><li><font color="#00F0F0"><span style="color:#000000;">netstat -na|grep ESTABLISHED|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -r -n</span></font></li><li><font color="#800000"><span style="color: rgb(0, 0, 0);">..............</span></font></li></ol> 40 127.0.0.1<br> 1 121.9.252.28<br> 1 173.117.140.69<br></div><br><b>(三)后记</b><br>ddos攻击很常见,攻击效果也很好,比如像前段时间由于维基创始人引发的那次大范围的攻击。<br>如果有专门防止ddos的硬件设备的话最好,没有的话就利用DDoS-Deflate结合iptables在一定程度上防范ddos攻击也是一种很好的策略。<br>
页:
[1]