jgmdev / ddos-deflate Goto Github PK
View Code? Open in Web Editor NEWFork of DDoS Deflate with fixes, improvements and new features.
License: Other
Fork of DDoS Deflate with fixes, improvements and new features.
License: Other
Hi,
I 'm using EasyEngine on Ubuntu 14.04 LTS. I have found ddos service doesn't start at boot. I always start it manually.
Hello,
I have to whitelist Cloudflare's IPs on ddos-deflate, otherwise they get banned.
But all the IPs are in this form : 103.21.244.0/22 and the script is not compatible with that :(
On Debian Buster, nftables is the default instead of iptables.
NFTables becomes more used.
Implement it on DDOSDeflate would allow to use it more reliably on Debian Buster for example and for users who now use NFTables.
Hello,
when an IP is blocked i am sent an e-mail by the ddos.sh where i add links to the services like:
https://www.abuseipdb.com/check/54.172.1.44
http://blacklist.myip.ms/54.172.1.44
https://censys.io/ipv4/54.172.1.44/whois
https://cymon.io/54.172.1.44Discover accessed domain: /bin/sh /scripts/ip2logfile 54.172.1.44
This way i can see details or abuse reports for this IP and i can manualy execute my ip2logfile script to check various log files for this IP and see what that IP was doing. But i do not include this script output into mailfile nor netstat details into mailfile not to put high load on server when it is "attacked" by bad IP's.
Is it good idea, or do you suggest any commands that can tell me as much details about attacking IP as possible?
I tried:
echo "First 100 netstat entries:\n"
netstat -ntu | tr -d \r|grep "$CURR_LINE_IP"|head -n 100 >> "$BANNED_IP_MAIL"
and a few other ways, but it never appear in the e-mail. Or do you suggest other way to discover/record as much data about IP as possible?
Since this tool is no longer developed and can't provide protection in case we use cdn like cloudflare. If anyone needs please take a look on my approach here - https://github.com/karek314/ddos-deflate-nginx-cloudflare
I have created a fork of this repository and added the code needed to support BSD operating systems. While the additions are currently undergoing testing, my overall goal is to have these changes incorporated into this project (pull request).
For those who are interested:
https://github.com/nuxy/ddos-deflate-ipfw
The idea would be to add the functionality to block a subnet with simultaneous connections into the server when exceeding a maximum allowed number of connections per subnet that gets activated when the number of clients on the same subnet reach a defined amount.
For example, lets say the following ip addresses belonging to same block/subnet have opened connections to your server:
Conn. IP
------------------------
80 1.1.1.1
85 1.1.1.2
99 1.1.1.3
30 1.1.1.4
So the sum of total connections would be 294 for 4 clients that belong to the same subnet. Now lets assume we have this new rules: MAX_SUBNET_CONNS=250 for MAX_SUB_CLIENTS=3
This would mean allow a maximum of 250 connections for a whole subnet when 3 or more clients from the same subnet are connected. The example given above would result in blocking all the subnet ip addresses, this way it may be more possible to stop attacks coming from some one controlling equipment behind the same address space.
Ideas, suggestions and point of views are welcome :)
Hello,
We use this on web server and it working good, but we also have proftpd in passive mode with (PassivePorts 49152 65535) and if we transfer many files proftpd create many connections and ban ip.
Please add port-range white list.
Your Program is not compatible with another Distributionen like Ubuntu or Debian.
Can you rewrite the Code for Ubuntu/Debian?
BANDWIDTH_CONTROL has too hight cpu usage to be usable. constant >10% (DAEMON_FREQ is set to 10 seconds)
I suspect something is wrong, because iftop wasn't installed, though last release says "Added iftop as new dependency". I installed it but nothing changed.
With BANDWIDTH_CONTROL=false cpu is not used, so it is bandwidth monitoring problem.
Just reporting. Probably needs some checking before using it. May be some broken loop is going here because of DAEMON_FREQ=0?
Command like "ddos -v4" for bandwidth_control would be great, so we can know does it works at all.
Here are some nice suggestions that could be optionally applied (by a conf flag) into iptables and ip6tables at the start of the ddos daemon with neccesary /proc/sys/ changes...
# ddos
/usr/local/ddos/ddos.sh: line 325: syntax error near unexpected token `('
/usr/local/ddos/ddos.sh: line 325: ` grepcidr "$IGNORE_IP" <(echo "$CURR_LINE_IP") >/dev/null && continue || IP_BAN_NOW=1'
The correction was:
# vim /usr/local/ddos/ddos.sh +325
------------------------------------------------------------------------------
FROM:
grepcidr "$IGNORE_IP" <(echo "$CURR_LINE_IP") >/dev/null && continue || IP_BAN_NOW=1
TO:
grepcidr "$IGNORE_IP" < $(echo "$CURR_LINE_IP") >/dev/null && continue || IP_BAN_NOW=1
Hi jgmdev,
I remembered Cloudflare has a feature for banning and unbanning IP thru curl. And i found this bash script example: https://gist.github.com/pjv/926ece8549cd45bac4821945f6ad253c
The scenario would be:
I hope this can be added as an additional layer of protection like ENABLE_CF_BANNING=TRUE
Thanks!
Hello,
i want to script to listen all the ports specified or in a particular range .
I need your suggestions ?
Thanks
Hello! I recently install in a new machine the script "ddos" but using the command ddos -v appear again the help commands list.
I try with the below options without success:
ddos -v -4
ddos -v4
ddos -v 4
ddos -v[4|6]
ddos -v[4]
My OS is: CentOS release 6.9.
Thank you
ss version shipped with Debian 8 and 9 may also be too old.
We're seeing a similar issue with Debian 8 and 9. What is the minimum version of ss
that ddos
requires?
It seems the ss version shipped with that centos version is too old. In order to fix this I would need to add some option to force netstat usage if the ss version is old....
You can also try a more recent version of centos.
Originally posted by @jgmdev in #54 (comment)
hi jgmdev,
I installed this on centos 7 and when i tried to simulate ddos in my server/site, the ddos -v lists the various Cloudflare IPs as the attacker, and the connection count range from ~1 - ~100, effectively not blocking anything below the treshold.
Can you help how can this be fixed? The bulk of attack is from Cloudflare IP itself
hello
this script have problem to show ips
for example if i use ddos -v this is displayed
::ffff:xxx.xxx.xxx.xxx
and after blocking in csf isee this
::ffff:
this script cant block real ip
thank you
Hello,
I have uninstall an older version of your script (0.7), then install the new one (lastest 0.8), but it show an error:
error: Required dependency 'tcpkill' is missing.
I'm using EasyEngine on Ubuntu 14.04.3 LTS
Thank you,
//Fixed: Install dsniff package
I think you should auto install Dsniff for ubuntu/debian user.
Why not support blacklist?
since there are tons of cloudflare ips to whitelist, is it working when i do it like that?
111.222.*.*
33.44.55.*
etc
Hi,
I have added all the CloudFlare IPs to my ignore list, but IPs within that range are still getting banned.
Example: 108.162.192.0/18 ignored, yet 108.162.229.32 still banned.
I'm not sure if IP Range compatibility was intended, but I think it would be very useful.
Thanks.
Hello
Unfortunately there is no tcpkill package in Debian Wheezy repository and I can't install and use it.
Thanks
For about an hour install is stuck at "Activating ddos service"
http://deflate.medialayer.com/
this site is not opening
Lately seems like ddos-deflate has been adding IPv4 bans with ::ffff: into the ip6tables list and doesn't block anything.
Edit 1:
Even though I say "lately" it's just because I updated the ddos-deflate the other day from mater git.
Also oh... I probably should mention I'm currently running Debian GNU/Linux 9.11 (stretch)
ddos.log example:
(Replaced real IP with 0's
[2019-10-30 10:44:30] banned ::ffff:0.0.0.0 with 453 connections for ban period 3600
[2019-10-30 10:46:07] banned ::ffff:0.0.0.0 with 450 connections for ban period 3600
[2019-10-30 10:46:09] banned ::ffff:0.0.0.0 with 453 connections for ban period 3600
ip6tables -nvL INPUT --line-numbers
Chain INPUT (policy DROP 11 packets, 880 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all * * ::ffff:0.0.0.0 ::/0
2 0 0 DROP all * * ::ffff:0.0.0.0 ::/0
3 0 0 DROP all * * ::ffff:0.0.0.0 ::/0
Edit 2:
Tried reinstalling version 1.3 instead of git master. Will inform later on findings.
Is it normal? Should I exclude 127.0.0.1 and ::1 addresses from netstat analize?
For example, I'm not use ipv6 and this is strange
Banned the following ip addresses on Sun Apr 3 06:25:40 EEST 2016
::1 with 252 connections
/etc/ddos/ignore.host.list support wildcard domain?
eg:
*.google.com
*.facebook.com
Hi,
I found a bug. When I try to launch the cron, a message appear with :
/etc/init.d/ddos: line 25: /lib/lsb/init-functions: file or directory not found
A post (http://unix.stackexchange.com/questions/9314/no-such-file-or-directory-etc-init-d-functions) advises to install the package "redhat-lsb" with yum, but it want to install 65 additionnal packages...
I continue my research.
Thank you for this "fork", I love this tool ! I use it since 3 years now ! 😄
.
Hi,
I'm wondering, how to add ip familia to ignore.ip.list.
Like
123,225,567,34
123,225,567,35
123,225,567,36
and more ip have in a service, i dont know all ips, for this i can add as familia to ignore.ip.list like "123,225.*", possible?
I need to run the following command to create a list of IP addresses connected to the server, along with their total number of connections.
ss -Hntu | awk '{print $6}' | sort | uniq -c | sort -nr
We receive the following error:
ss: invalid option -- 'H'
Usage: ss [ OPTIONS ]
ss [ OPTIONS ] [ FILTER ]
-h, --help this message
-V, --version output version information
-n, --numeric don't resolve service names
-r, --resolve resolve host names
-a, --all display all sockets
-l, --listening display listening sockets
-o, --options show timer information
-e, --extended show detailed socket information
-m, --memory show socket memory usage
-p, --processes show process using socket
-i, --info show internal TCP information
-s, --summary show socket usage summary
-4, --ipv4 display only IP version 4 sockets
-6, --ipv6 display only IP version 6 sockets
-0, --packet display PACKET sockets
-t, --tcp display only TCP sockets
-u, --udp display only UDP sockets
-d, --dccp display only DCCP sockets
-w, --raw display only RAW sockets
-x, --unix display only Unix domain sockets
-f, --family=FAMILY display sockets of type FAMILY
-A, --query=QUERY, --socket=QUERY
QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]
-D, --diag=FILE Dump raw information about TCP sockets to FILE
-F, --filter=FILE read filter information from FILE
FILTER := [ state TCP-STATE ] [ EXPRESSION ]
Is there a known workaround?
Hello.
I've whitelisisted my IP, restarted the daemon and I am still getting banned after reaching the connection limit. "ddos --i" shows my IP as whitelisted so it should work. System is Debian 6, running as daemon.
Greetings.
IPv6 was implemented by using ss to properly display connections and ip6tables to block excessive connections. Still it hasn't been implemented for block_incoming only and needs testing.
Any testing appreciated.
Hello, i used different version of the ddos-deflate and it blocked cloudflare's IP
I see this version is having some cloudflare feature, but i do not know if it would be effective.
Numerous of the hosted sites are using cloudflare. This is Apache + Cachewall with utilize Varnish cache + cloudflare_module
Next thing i want to ask is if it is correct the cloudflare IPs be blocked (that blocked IP shown roughly 3 hundred connections).
I tried to add CF IP ranges in CIDR format into ignore list, but that not worked for the script to match the IPs to the subnet: Amet13/ddos-deflate#4
Hey there,
I'm not if this is an issue of DDoS Deflate or just incompatibility with the old Ubuntu 14 (server), but I get this error while using ddos.sh:
ss: invalid option -- 'H'
Any idea about how to solve?
Cheers
After installing everything successfully, ddos
command return following error: $CONF not found.
Everything that ddos
command return:
/usr/local/ddos/ddos.sh: 25: [: /etc/ddos/ddos.conf: unexpected operator
DDoS-Deflate version 0.9
Copyright (C) 2005, Zaf <[email protected]>
$CONF not found.
Running on Ubuntu 16.10 x32 with ddos-deflate v0.9
Notes:
I can't get it running on debian
systemctl start ddos
-bash: systemctl: command not found
sudo /usr/local/ddos/ddos.sh -c
Warning: this feature is deprecated and ddos-deflate should be run on daemon mode instead.
service ddos restart
ddos: unrecognized service
/etc/init.d/ddos restart
-bash: /etc/init.d/ddos: No such file or directory
Can this updated version be based on centos 7.x or higher only? My system is centos 6.3 x64 bit, run ss -Hntu | awk '{print $6}' | sort | uniq -c | sort -nr command prompt ss: invalid option -- 'H'
Hello guys,
awesome script work like a charm but there is something strange here :)
Is there any meaningful explanation of those 2 lines of code:
https://github.com/jgmdev/ddos-deflate/blob/master/src/ddos.sh#L125-L126
My version is CentOS Linux release 7.6.1810 (Core)
There is no output with these commands :
ddos -v -4
ddos -v4
ddos -v 4
ddos -v[4|6]
ddos -v[4]
Hello, I don't see any usage of ip6tables (https://github.com/jgmdev/ddos-deflate/search?utf8=%E2%9C%93&q=ip6tables), is the script compatible with IPv6 ? If not, is any of its forks ?
cat /etc/cron.d/ddos
0-59/1 ChangeLog config install.sh LICENSE Makefile man README.md src uninstall.sh ChangeLog config install.sh LICENSE Makefile man README.md src uninstall.sh ChangeLog config install.sh LICENSE Makefile man README.md src uninstall.sh ChangeLog config install.sh LICENSE Makefile man README.md src uninstall.sh root /usr/local/sbin/ddos -k >/dev/null 2>&1
Guys,
I have a problem here. Could I ask you for some help or at least detailed advice?
I am running a pihole server on a vps. On the same vps is a dns server installed called
unbound.
In fact only port 53 is open, the port where unbound directly listens to queries
is closed from outside. Only 127.0.0.1 (pihole server) can send queries there.
Now, since 3 days I am victim of a massive attack. 60000 queries.....
The funny part, only 0.1 % of the queries are filtered by pihole, like someone has access to
unbound directly, which as far as my knowledge goes is impossible.
I installed your app in hope to block this DDOS or dynamic DDOS attacks, but it doesn't work.
the app seems running on the server, but doesn't block port 53
When I do: ddos --view-port 53
i get: 1 118.24.147.252:63498
so I can see a chinese from Qinzhou, somewhere left of Hong-Kong with ip 118.24.147.252
is attacking me, but the app doesn't block him on port 53...
(Or at least his vpn provider has a server there.)
Is there anything i can do to focus on port 53?
I am a beginner and student in this stuff, and I know I took a risk in deploying a dns.
But from mistakes you learn, no?
Thanks for any help.
UPDATE:
When I do:
ddos --view-port 53
He changes his ip adres every time....
1 118.24.147.252:43401
root@user:/etc/ddos# ddos --cron
Warning: this feature is deprecated and ddos-deflate should be run on daemon mode instead.
root@user:/etc/ddos# ddos --start
ddos daemon is already running...
Can I manually add banned ip's?
there is something I really do not understand here.....
When I bypass the program and do a hard:
iptables -I INPUT -s 118.24.147.252 -j DROP
to block at least that ip address, and afterwards I do a
ddos --view-port 53,
the response is:
1 118.24.147.252:8550
1 118.24.147.252:13183
So, I block it an they still manage to get queries???? am I missing something here?
Can Chinese admins bypass iptable firewalls?
oh, before you ask for it, I forgot to add this:
root@user:/etc/ddos# ddos --start
ddos daemon is already running...
@jgmdev hello,i use centos7.4 system and installed this script. but it not work. i found my system have no “grepcidr”, so i want to install “grepcidr” by command "yum install grepcidr",it shows error:"No package grepcidr available."
so, i want to konw how to solve it. where i can download your grepcide and install it. thanks.
the script coulnd get all the ip addresses of the server interfaces when running xen dom0.
ifconfig does not show aliases for the bridge interface xenbr0 so server blocks his own ip-s.
i changed the line
SERVER_IP_LIST=ifconfig | grep "inet " | awk '{print $2}' | sed "s/addr://g" | xargs | sed -e 's/ /|/g'
to
SERVER_IP_LIST=( hostname -I ; echo 127.0.0.1 ) | cat | sed ':a;N;$!ba;s/\n/ /g' | sed 's/[[:space:]]\{1,\}/|/g' | sed s'/.$//'
Now everything works as expected.
Keep up the good work.
[2017-10-12 17:40:50] banned 2001:xxxx:2:xxx: with 155 connections for ban period 600
[2017-10-12 17:51:24] unbanned banned 2001:xxxx:2:xxx:
[2017-10-12 19:26:34] banned banned 2001:xxxx:2:xxx: with 174 connections for ban period 600
[2017-10-12 19:37:28] unbanned banned 2001:xxxx:2:xxx:
[2017-10-12 20:14:05] banned 2banned 2001:xxxx:2:xxx: with 154 connections for ban period 600
[2017-10-12 20:24:13] unbanned banned 2001:xxxx:2:xxx:
Temporary solution add my ipsv6 to the ignore.ip.list file
When will you have support for ipv6? Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.