Record a journey of cc attack and modify it with ddos deflate

Keywords: firewall iptables shell Nginx

The beginning of the story, on March 30, is supposed to be a friendly business attack on the company's website.
The attack starts at 4 p.m. on the attack website, there is also Alibaba cloud ip in it. Angry. I want to complain.

Start to talk about how to solve it. First, use netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Nima sells lots. Which turtle son has been requesting this page. Concurrent 2800.

First, disable his ip from the firewall.

iptables -I INPUT -s 1.2.3.4 -j DROP
Five names go on. Think about how to guard against this next time.

1. First, we found the ddos deflate open source to slightly reduce it
Switch super administrator command

wget http://www.inetbase.com/scripts/ddos/install.sh   //Download DDoS deflate
chmod 0700 install.sh    //add permission
./install.sh             //implement

Install Lu Jin in / usr/local/ddos /. After the installation, a ddos.cron file will be automatically added to / etc/cron.d /
We don't have to worry about this.

2. Because ddos.sh will automatically add the connection address to the white list. I think that if you accidentally delete the DROP INPUT in iptables, the attacker's IP will come in. We make a change to the source code of ddos.sh.

3. Modify the configuration file ddos.conf

##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"  //IP address white list
CRON="/etc/cron.d/ddos.cron"    //Timed execution procedure
APF="/etc/apf/apf"
IPT="/sbin/iptables"

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
#####          option so that the new frequency takes effect
FREQ=1   //Check the time interval. The default is 1 minute (when you modify this value, you need to manually / usr/local/ddos/ddos.sh -c to set the ddos.cron timing file)

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150     //The maximum number of connections. If the number exceeds this, the IP will be blocked. Generally, the default is OK

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=0       What I'm setting up here is0 Shield through firewall

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1   //Whether to shield IP is OK by default

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root"   //When the IP address is blocked, send email to the specified mailbox. It is recommended to use it. Just change it to your own mailbox (you must install and send email to use it, which will be discussed later)

##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600    //Disable IP time, 600 seconds by default, adjustable according to the situation
//The user can modify the configuration file according to the annotation prompt added to the default configuration file.

ddos.sh source code

#!/bin/sh
##############################################################################
# DDoS-Deflate version 0.6 Author: Zaf <zaf@vsnl.com>                        #
##############################################################################
# This program is distributed under the "Artistic License" Agreement         #
#                                                                            #
# The LICENSE file is located in the same directory as this program. Please  #
#  read the LICENSE file before you make copies or distribute this program   #
##############################################################################
load_conf()
{
    CONF="/usr/local/ddos/ddos.conf"
    if [ -f "$CONF" ] && [ ! "$CONF" ==  "" ]; then
        source $CONF
    else
        head
        echo "\$CONF not found."
        exit 1
    fi
}

head()
{
    echo "DDoS-Deflate version 0.6"
    echo "Copyright (C) 2005, Zaf <zaf@vsnl.com>"
    echo
}

showhelp()
{
    head
    echo 'Usage: ddos.sh [OPTIONS] [N]'
    echo 'N : number of tcp/udp connections (default 150)'
    echo 'OPTIONS:'
    echo '-h | --help: Show this help screen'
    echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
    echo '-k | --kill: Block the offending ip making more than N connections'
}

unbanip()
{
    UNBAN_SCRIPT=`mktemp /tmp/unban.XXXXXXXX`
    TMP_FILE=`mktemp /tmp/unban.XXXXXXXX`
    UNBAN_IP_LIST=`mktemp /tmp/unban.XXXXXXXX`
    echo '#!/bin/sh' > $UNBAN_SCRIPT
    echo "sleep $BAN_PERIOD" >> $UNBAN_SCRIPT
    if [ $APF_BAN -eq 1 ]; then
        while read line; do
            echo "$APF -u $line" >> $UNBAN_SCRIPT
            echo $line >> $UNBAN_IP_LIST
        done < $BANNED_IP_LIST
    else
        while read line; do
            echo "$IPT -D INPUT -s $line -j DROP" >> $UNBAN_SCRIPT
            echo $line >> $UNBAN_IP_LIST
        done < $BANNED_IP_LIST
    fi
    echo "grep -v --file=$UNBAN_IP_LIST $IGNORE_IP_LIST > $TMP_FILE" >> $UNBAN_SCRIPT
    echo "mv $TMP_FILE $IGNORE_IP_LIST" >> $UNBAN_SCRIPT
    echo "rm -f $UNBAN_SCRIPT" >> $UNBAN_SCRIPT
    echo "rm -f $UNBAN_IP_LIST" >> $UNBAN_SCRIPT
    echo "rm -f $TMP_FILE" >> $UNBAN_SCRIPT
    . $UNBAN_SCRIPT &
}

add_to_cron()
{
    rm -f $CRON
    sleep 1
    service crond restart
    sleep 1
    echo "SHELL=/bin/sh" > $CRON
    if [ $FREQ -le 2 ]; then
        echo "0-59/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
    else
        let "START_MINUTE = $RANDOM % ($FREQ - 1)"
        let "START_MINUTE = $START_MINUTE + 1"
        let "END_MINUTE = 60 - $FREQ + $START_MINUTE"
        echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
    fi
    service crond restart
}


load_conf
while [ $1 ]; do
    case $1 in
        '-h' | '--help' | '?' )
            showhelp
            exit
            ;;
        '--cron' | '-c' )
            add_to_cron
            exit
            ;;
        '--kill' | '-k' )
            KILL=1
            ;;
         *[0-9]* )
            NO_OF_CONNECTIONS=$1
            ;;
        * )
            showhelp
            exit
            ;;
    esac
    shift
done

TMP_PREFIX='/tmp/ddos'
TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX"
BANNED_IP_MAIL=`$TMP_FILE`
BANNED_IP_LIST=`$TMP_FILE`
IPTABLES_LIST=`$TMP_FILE` #New firewall list file
echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL
echo >> $BANNED_IP_MAIL
BAD_IP_LIST=`$TMP_FILE`
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
cat $BAD_IP_LIST

echo ***************************
$IPT -L -n > $IPTABLES_LIST
cat $IPTABLES_LIST
if [ $KILL -eq 1 ]; then
    IP_BAN_NOW=0
    while read line; do
        CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
        CURR_LINE_IP=$(echo $line | cut -d" " -f2)
        if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
            break
        fi

        IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`
        if [ $IGNORE_BAN -ge 1 ]; then
            continue
        fi
        #Check whether this ip exists in the firewall 
        IPTABLES_EXSISTS=`grep -c $CURR_LINE_IP $IPTABLES_LIST`
        #If this IP exists, no subsequent processing will be done
        #echo $IPTABLES_EXSISTS
        if [ $IPTABLES_EXSISTS -ge 1 ]; then
            continue
        fi
        IP_BAN_NOW=1
        echo "$CURR_LINE_IP with $CURR_LINE_CONN connections" >> $BANNED_IP_MAIL
        echo $CURR_LINE_IP >> $BANNED_IP_LIST
        #For fear of manual modification and ignoring IP, there is an error. The next time we're going to attack, we need to get rid of this line 
        # echo $CURR_LINE_IP >> $IGNORE_IP_LIST
        if [ $APF_BAN -eq 1 ]; then
            $APF -d $CURR_LINE_IP
        else
            $IPT -I INPUT -s $CURR_LINE_IP -j DROP
        fi
    done < $BAD_IP_LIST
    if [ $IP_BAN_NOW -eq 1 ]; then
        dt=`date`
        #No email
        #if [ $EMAIL_TO != "" ]; then
        #   cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt" $EMAIL_TO
        #fi
        unbanip
    fi
fi
rm -f $TMP_PREFIX.*

OK, I'll write it for you next time. One thousand nginx logs, the same ip forbidden script,
Thanks for watching.

Posted by squizz on Fri, 03 Apr 2020 07:00:16 -0700