Death to Http Flooders…
April 1st, 2009 by Shadow received 10 Comments »So, for those of you that don’t know, I work for a hosting company. I enjoy what I do, and for all intents and purposes, I do a pretty good job at it. Recently, one of the sites we host, was getting hammered, hardcore.
To save on a very long, long, long winded story of how we battled these flooders, I am going to list what we did to get things working well again.
1. Install and setup APF and BFD from Rfx-network
This is a must
2. Optimize MySql
3. Run These Lines from shell
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 50 -j DROP
iptables -A INPUT -p udp --dport 80 -jDROP
Those Lines restrict the number of connections to the server, and drop udp connect entirely to port 80. Its not perfect, but its one more part of a better secured server.
The Next few Steps are still a work in progress, as such, they may change
4. Create a folder you know will be secure, and navigate to said folder.
5. run this command from shell to get the nifty script I wrote. (If you downloaded this on 4-1-09, download again, i made a mistake in that release…)
wget http://darksideofperfection.com/projects/php_ddos.tar.bz2
6. Extract said downloaded file.
tar xvfz php_ddos.tar.bz2
7. Give Execute Permissions to the cron.sh and netsat.sh
chmod +x cron.sh
chmod +x netstat.sh
8. Add a cron to automatically run the cron.sh
crontab -e
Type: * * * * * /path/to/ the/scripts/cron.sh
9. You need to modify the cron.sh to point to ddos.php file and modify ddos.php to point to the netstat.sh file.
10. Sit Back, and watch… The script will check every 30 seconds for any connection connected 50 times or more with the default settings.
Tags: APF, HTTP Flooder, Linux, Scripting
Posted under: Coding
