DDoS-Deflate是一款非常小巧的防御和減輕DDoS攻擊的工具，它可以通過監(jiān)測(cè)netstat來跟蹤來創(chuàng)建大量互聯(lián)網(wǎng)連接的IP地址信息，通過APF或IPTABLES禁止或阻檔這些非常IP地址。

我們可以使用netstat命令查看當(dāng)前系統(tǒng)連接的狀態(tài)，是否有受到DDOS攻擊

[root@localhost ~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
????? 1 101.226.66.172
????? 1 103.29.134.193
????? 1 110.85.249.85
????? 1 115.150.118.203
????? 1 116.22.233.25
????? 1 119.254.227.106
????? 1 122.224.152.139
????? 1 123.126.68.35
????? 1 123.151.136.225
????? 1 124.202.164.10
????? 1 124.202.164.16
????? 1 14.29.112.87
????? 1 14.29.127.218
????? 1 157.55.33.124
????? 1 170.130.24.152
????? 1 180.149.143.11
????? 1 182.118.19.201
????? 1 182.118.20.40
????? 1 183.39.201.142
????? 1 199.30.24.33
????? 1 210.242.215.195
????? 1 210.242.215.211
????? 1 210.242.215.212
????? 1 210.242.215.213
????? 1 210.242.215.215
????? 1 210.242.215.216
????? 1 210.242.215.218
????? 1 210.6.198.12
????? 1 219.239.26.13
????? 1 220.181.51.62
????? 1 23.94.20.3
????? 1 27.28.7.0
????? 1 42.120.160.95
????? 1 42.156.137.95
????? 1 58.51.180.34
????? 1 60.220.197.225
????? 1 61.135.189.43
????? 1 61.135.249.202
????? 1 61.164.170.222
????? 1 66.249.67.163
????? 1 Address
????? 1 servers)
????? 2 124.202.164.11
????? 2 218.109.165.44
????? 2 220.181.125.20
????? 2 223.104.20.49
????? 2 42.156.136.95
????? 2 61.51.249.58
????? 2 72.52.94.226
????? 3 210.242.215.210
????? 3 222.76.109.133
????? 4 120.39.165.97
????? 4 123.113.42.119
????? 5 110.244.82.238
????? 5 118.72.107.112
????? 5 222.141.238.211
????? 6 110.153.48.75
????? 6 111.206.125.33
????? 6 124.117.235.163
????? 6 60.215.180.43
????? 7 101.226.89.117
????? 9 111.20.119.234
????? 9 119.126.238.114
????? 9 183.32.67.179
???? 10 121.35.228.194
???? 10 122.141.235.146
???? 11 183.63.97.42
???? 12 106.125.11.78
???? 13 114.228.158.82
???? 13 118.228.151.171
???? 14 222.129.186.143
???? 15 113.231.87.141
???? 17 113.137.204.201
???? 20 119.251.38.134
???? 20 61.164.36.34
???? 30 58.215.136.89
???? 44 58.215.136.105
??? 101 127.0.0.1

查看iptables的狀態(tài)

[root@localhost ~]# service iptables status
表格：filter
Chain INPUT (policy ACCEPT)
num? target???? prot opt source?????????????? destination????????
1??? ACCEPT???? all? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? state RELATED,ESTABLISHED
2??? ACCEPT???? icmp --? 0.0.0.0/0??????????? 0.0.0.0/0??????????
3??? ACCEPT???? all? --? 0.0.0.0/0??????????? 0.0.0.0/0??????????
4??? ACCEPT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? state NEW tcp dpt:21
5??? ACCEPT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? state NEW tcp dpt:80
6??? ACCEPT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? state NEW tcp dpt:3306
7??? ACCEPT???? tcp? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? state NEW tcp dpt:58416
8??? REJECT???? all? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num? target???? prot opt source?????????????? destination????????
1??? REJECT???? all? --? 0.0.0.0/0??????????? 0.0.0.0/0?????????? reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num? target???? prot opt source?????????????? destination???????

安裝DDoS-Deflate

[root@localhost ~]# wget http://www.inetbase.com/scripts/ddos/install.sh
[root@localhost ~]# chmod +x install.sh
[root@localhost ~]# ./install.sh

Installing DOS-Deflate 0.6

Downloading source files....
.....done

Creating cron to run script every minute.....(Default setting).....done

Installation has completed.
Config file is at /usr/local/ddos/ddos.conf
Please send in your comments and/or suggestions to zaf@vsnl.com

DOS-Deflate已經(jīng)安裝好了。

DOS-Deflate卸載

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

DOS-Deflate文件的說明：

[root@localhost ~]# cd /usr/local/ddos/
[root@localhost ddos]# ll
總用量 4
-rw-r--r-- 1 root root?? 971 1月? 10 2006 ddos.conf
-rwxr-xr-x 1 root root? 3945 1月? 10 2006 ddos.sh
-rw-r--r-- 1 root root??? 10 1月? 10 2006 ignore.ip.list
-rw-r--r-- 1 root root 10113 1月? 10 2006 LICENSE

DOS-Deflate安裝好之后，全部的文件是放在/usr/local/ddos文件夾中。

文件說明：
ddos.conf -- DDoS-Deflate 的配置文件，其中配置防止ddos時(shí)的各種行為
ddos.sh?? -- DDoS-Deflate 的主程序，使用shell編寫的，整個(gè)程序的功能模塊
ignore.ip.list -- 白名單，該文件中的ip超過設(shè)定的連接數(shù)時(shí)，也不被 DDoS-Deflate 阻止
LICENSE?? -- DDoS-Deflate 程序的發(fā)布協(xié)議

配置ddos.conf

[root@localhost ddos]# cat ddos.conf
##### Paths of the script and other files #配置文件也是個(gè)shell腳本
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list" #存放白名單的文件
CRON="/etc/cron.d/ddos.cron" #計(jì)劃任務(wù)，默認(rèn)是每分鐘執(zhí)行一次ddos.sh
APF="/etc/apf/apf"
IPT="/sbin/iptables"

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
#####????????? option so that the new frequency takes effect
FREQ=1? #DDoS-Deflate通過linux的計(jì)劃任務(wù)執(zhí)行，默認(rèn)為每分鐘一次

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150 #定義單個(gè)IP達(dá)到多少連接時(shí)規(guī)定為這是一次ddos攻擊

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=0? #這里為 “0”，表示使用iptables，而不是APF

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1? #是否阻止被定義為ddos攻擊的ip，“1”為阻止

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="xxxxx@ithov.com"? #事件通知人的郵件地址

##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600 #阻止被定義為ddos攻擊者ip與本機(jī)通信時(shí)間，默認(rèn)為600秒

用戶可根據(jù)給默認(rèn)配置文件加上的注釋提示內(nèi)容，修改配置文件。

查看/usr/local/ddos/ddos.sh文件的第117行

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

修改為以下代碼即可！

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sed -n ‘/[0-9]/p’ | sort | uniq -c | sort -nr > $BAD_IP_LIST

喜歡折騰的可以用Web壓力測(cè)試軟件測(cè)試一下效果，相信DDoS deflate還是能給你的VPS或服務(wù)器抵御一部分DDOS攻擊，給你的網(wǎng)站更多的保護(hù)。

ddos.sh文件內(nèi)容：

[root@localhost ddos]# ./ddos.sh -h
DDoS-Deflate version 0.6
Copyright (C) 2005, Zaf <zaf@vsnl.com>

Usage: ddos.sh [OPTIONS] [N]
N : number of tcp/udp?? connections (default 150)
OPTIONS:
-h | --help: Show?????? this help screen
-c | --cron: Create cron job to run this script regularly (default 1 mins)
-k | --kill: Block the offending ip making more than N connections

測(cè)試防ddos攻擊效果

NO_OF_CONNECTIONS=3????????
#這里為了方便測(cè)試，設(shè)置為3。生產(chǎn)環(huán)境下，幾十到幾百都可以理解為正常，上千肯定就是不正常了，除非是應(yīng)用內(nèi)部各個(gè)服務(wù)器之間的通信
通過一臺(tái)固定ip的機(jī)器ssh連接該服務(wù)器，當(dāng)連接到超過3甚至更多時(shí)，不會(huì)立刻顯示連不上，因?yàn)閐dos.sh默認(rèn)一分鐘運(yùn)行一次，當(dāng)過不到一分鐘時(shí)，會(huì)發(fā)現(xiàn)連接掉了，查看部署了防ddos軟件的服務(wù)器上可以看到iptables的策略中多了：

DROP all -- 31.210.16.29.broad.cs.gd.dynamic.163data.com.cn anywhere

說明確實(shí)生效了，當(dāng)10分鐘后，iptables上這條策略會(huì)被取消的

關(guān)于如何查看單個(gè)IP的連接數(shù)目可以通過如下命令查看，依次排列：

netstat -na|grep ESTABLISHED|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -r -n
..............
???? 40 127.0.0.1
????? 1 121.9.252.28
????? 1 173.117.140.69

ddos攻擊很常見，攻擊效果也很好，比如像前段時(shí)間由于維基創(chuàng)始人引發(fā)的那次大范圍的攻擊。
如果有專門防止ddos的硬件設(shè)備的話最好，沒有的話就利用DDoS-Deflate結(jié)合iptables在一定程度上防范ddos攻擊也是一種很好的策略。

該文章轉(zhuǎn)載自http://www.ithov.com/linux/134939.shtml

總結(jié)

以上是生活随笔為你收集整理的为CentOS安装防DDOS攻击软件DDoS-Deflate的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。