ddos - how to survive from school?
DDoS Attack - short for Distributed Denial Of Service Attack. This is when a bunch of infected computers send many requests to the server. As a result, the server spends all its resources on servicing these requests and becomes virtually inaccessible to users. The size of the attacks are different, only the specialist and Cisco Guard can save from the large ones and such a solution costs at least $ 1000 / month. But such attacks, thank God, are quite rare. Most often we see simple attacks, which are usually done by schoolchildren (they are interested in everything). Creating your own botnet is not difficult, you can even buy ready :). But such attacks can also harm our web project. What to do if the attack is small and we do not want to pay huge money to a specialist?
1. mod_evasive - (mod_dosevasive) HTTP DoS or DDoS attack or brute force attack (apache module)
The module will help from a small flood and ddos ​​attacks on http.
Installation is not complicated.
')
Download the archive
Now you need to unpack
Compile mod_dosevasive for Apache 2:
/ usr / local / apache replace with your path to apache (where apache see through whereis apache)
Editing httpd.conf
Add (I think you'll see where)
Next at the end of the file
- DOSHashTableSize: this is the size of the hash table that processes requests to the WWW server.
- DOSPageCount: the number of requests to one page from the same IP during the specified time interval.
- DOSSiteCount: the number of requests to all pages of the domain, that is, if more than 50 requests were received from one ah-pi to different pages of the domain - then such ah-pi will be blocked.
- DOSPageInterval: Interval for DOSPageCount directive (in seconds)
- DOSSiteInterval: Interval for the DOSSiteCount directive (in seconds)
- DOSBlockingPeriod: How much to block ah-pi (in seconds)
- DOSEmailNotify: can be used for notifications, will send an e-mail message that such an IP has been blocked.
- DOSSystemCommand: this directive is used to execute some of your command when the IP is blocked. You can use this to add an IP address to the firewall table.
(example: "/ sbin / iptables -A INPUT -p tcp --dport 80 -s% s -j REJECT" The% s is transmitted from the IP module)
- DOSWhiteList: a list of white IP addresses, you can also by masks (eg 127.0.0. *)
2. script (D) DoS Deflate.
Just a script to protect against ddos ​​attacks. It works very simply, according to crown it launches:
After that, it blocks ip which exceeded the limit on the number of connections (this can be set in its configuration).
3. A few rules for iptables
Maximum 10 connections from one IP
Lock more than 10 SYN
If the attack is one “left” request, then it can be blocked
Of course, this is not all, but quite enough from the small flood.
1. mod_evasive - (mod_dosevasive) HTTP DoS or DDoS attack or brute force attack (apache module)
The module will help from a small flood and ddos ​​attacks on http.
Installation is not complicated.
')
Download the archive
wget www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gzNow you need to unpack
tar zxvf mod_dosevasive_1.10.1.tar.gz
cd mod_dosevasive
Compile mod_dosevasive for Apache 2:
/usr/local/apache/bin/apxs2 -i -a -c mod_dosevasive20.c/ usr / local / apache replace with your path to apache (where apache see through whereis apache)
Editing httpd.conf
Add (I think you'll see where)
LoadModule evasive20_module lib/apache2/modules/mod_evasive20.soNext at the end of the file
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 15
DOSEmailNotify email@for-notify.com
DOSSystemCommand ""
- DOSHashTableSize: this is the size of the hash table that processes requests to the WWW server.
- DOSPageCount: the number of requests to one page from the same IP during the specified time interval.
- DOSSiteCount: the number of requests to all pages of the domain, that is, if more than 50 requests were received from one ah-pi to different pages of the domain - then such ah-pi will be blocked.
- DOSPageInterval: Interval for DOSPageCount directive (in seconds)
- DOSSiteInterval: Interval for the DOSSiteCount directive (in seconds)
- DOSBlockingPeriod: How much to block ah-pi (in seconds)
- DOSEmailNotify: can be used for notifications, will send an e-mail message that such an IP has been blocked.
- DOSSystemCommand: this directive is used to execute some of your command when the IP is blocked. You can use this to add an IP address to the firewall table.
(example: "/ sbin / iptables -A INPUT -p tcp --dport 80 -s% s -j REJECT" The% s is transmitted from the IP module)
- DOSWhiteList: a list of white IP addresses, you can also by masks (eg 127.0.0. *)
2. script (D) DoS Deflate.
Just a script to protect against ddos ​​attacks. It works very simply, according to crown it launches:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nAfter that, it blocks ip which exceeded the limit on the number of connections (this can be set in its configuration).
3. A few rules for iptables
Maximum 10 connections from one IP
iptables -A INPUT-p tcp --dport 80 -m iplimit --iplimit-above 10 -j REJECTLock more than 10 SYN
iptables -I INPUT -p tcp --syn --dport 80 -j DROP -m iplimit --iplimit-above 1040
iptables -p tcp --dport 80 -m iplimit --iplimit-above 40 --iplimit-mask 24 -j REJECTIf the attack is one “left” request, then it can be blocked
iptables -I INPUT 1 -p tcp --dport 80 -m string --string "GET / HTTP/1.0" --algo kmp -j DROPOf course, this is not all, but quite enough from the small flood.
Source: https://habr.com/ru/post/71694/
All Articles