Results 1 to 4 of 4
  1. #1
    Join Date
    May 2006
    Posts
    1,398

    dos deflate tweaking

    We all know how useful dos deflate can be in blocking socket floods, it does its job well. the only problem is after a socket flood even when dos deflate catches them it takes a few minutes for apache to recover unless you go in manually and restart it.

    I was wondering if anyone could help me find a way for dos deflate to restart apache after it bans the ip

    Code:
    #!/bin/sh
    ##############################################################################
    # DDoS-Deflate version 0.6 Author: Zaf <[email protected]>                        #
    ##############################################################################
    # This program is distributed under the "Artistic License" Agreement         #
    #                                                                            #
    # The LICENSE file is located in the same directory as this program. Please  #
    #  read the LICENSE file before you make copies or distribute this program   #
    ##############################################################################
    load_conf()
    {
        CONF="/usr/local/ddos/ddos.conf"
        if [ -f "$CONF" ] && [ ! "$CONF" ==    "" ]; then
            source $CONF
        else
            head
            echo "\$CONF not found."
            exit 1
        fi
    }
    
    head()
    {
        echo "DDoS-Deflate version 0.6"
        echo "Copyright (C) 2005, Zaf <[email protected]>"
        echo
    }
    
    showhelp()
    {
        head
        echo 'Usage: ddos.sh [OPTIONS] [N]'
        echo 'N : number of tcp/udp    connections (default 150)'
        echo 'OPTIONS:'
        echo '-h | --help: Show    this help screen'
        echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
        echo '-k | --kill: Block the offending ip making more than N connections'
    }
    
    unbanip()
    {
        UNBAN_SCRIPT=`mktemp /tmp/unban.XXXXXXXX`
        TMP_FILE=`mktemp /tmp/unban.XXXXXXXX`
        UNBAN_IP_LIST=`mktemp /tmp/unban.XXXXXXXX`
        echo '#!/bin/sh' > $UNBAN_SCRIPT
        echo "sleep $BAN_PERIOD" >> $UNBAN_SCRIPT
        if [ $APF_BAN -eq 1 ]; then
            while read line; do
                echo "$APF -u $line" >> $UNBAN_SCRIPT
                echo $line >> $UNBAN_IP_LIST
            done < $BANNED_IP_LIST
        else
            while read line; do
                echo "$IPT -D INPUT -s $line -j DROP" >> $UNBAN_SCRIPT
                echo $line >> $UNBAN_IP_LIST
            done < $BANNED_IP_LIST
        fi
        echo "grep -v --file=$UNBAN_IP_LIST $IGNORE_IP_LIST > $TMP_FILE" >> $UNBAN_SCRIPT
        echo "mv $TMP_FILE $IGNORE_IP_LIST" >> $UNBAN_SCRIPT
        echo "rm -f $UNBAN_SCRIPT" >> $UNBAN_SCRIPT
        echo "rm -f $UNBAN_IP_LIST" >> $UNBAN_SCRIPT
        echo "rm -f $TMP_FILE" >> $UNBAN_SCRIPT
        . $UNBAN_SCRIPT &
    }
    
    add_to_cron()
    {
        rm -f $CRON
        sleep 1
        service crond restart
        sleep 1
        echo "SHELL=/bin/sh" > $CRON
        if [ $FREQ -le 2 ]; then
            echo "0-59/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
        else
            let "START_MINUTE = $RANDOM % ($FREQ - 1)"
            let "START_MINUTE = $START_MINUTE + 1"
            let "END_MINUTE = 60 - $FREQ + $START_MINUTE"
            echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
        fi
        service crond restart
    }
    
    
    load_conf
    while [ $1 ]; do
        case $1 in
            '-h' | '--help' | '?' )
                showhelp
                exit
                ;;
            '--cron' | '-c' )
                add_to_cron
                exit
                ;;
            '--kill' | '-k' )
                KILL=1
                ;;
             *[0-9]* )
                NO_OF_CONNECTIONS=$1
                ;;
            * )
                showhelp
                exit
                ;;
        esac
        shift
    done
    
    TMP_PREFIX='/tmp/ddos'
    TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX"
    BANNED_IP_MAIL=`$TMP_FILE`
    BANNED_IP_LIST=`$TMP_FILE`
    echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL
    echo >>    $BANNED_IP_MAIL
    BAD_IP_LIST=`$TMP_FILE`
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
    cat $BAD_IP_LIST
    if [ $KILL -eq 1 ]; then
        IP_BAN_NOW=0
        while read line; do
            CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
            CURR_LINE_IP=$(echo $line | cut -d" " -f2)
            if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
                break
            fi
            IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`
            if [ $IGNORE_BAN -ge 1 ]; then
                continue
            fi
            IP_BAN_NOW=1
            echo "$CURR_LINE_IP with $CURR_LINE_CONN connections" >> $BANNED_IP_MAIL
            echo $CURR_LINE_IP >> $BANNED_IP_LIST
            echo $CURR_LINE_IP >> $IGNORE_IP_LIST
            if [ $APF_BAN -eq 1 ]; then
                $APF -d $CURR_LINE_IP
            else
                $IPT -I INPUT -s $CURR_LINE_IP -j DROP
            fi
        done < $BAD_IP_LIST
        if [ $IP_BAN_NOW -eq 1 ]; then
            dt=`date`
            if [ $EMAIL_TO != "" ]; then
                cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt" $EMAIL_TO
            fi
            unbanip
        fi
    fi
    rm -f $TMP_PREFIX.*
    I tried adding the line after the ip ban now but didnt work, Anyone got any ideas?

  2. #2
    Join Date
    Oct 2005
    Location
    Fleet Street
    Posts
    3,243
    What did you try adding?

  3. #3
    Join Date
    May 2006
    Posts
    1,398
    service httpd restart in a few places in the script, had someone test the script by socket flooding my server, didnt work.

    I emailed zaffer, the maker, I will see what he says, surely its possible

  4. #4
    Join Date
    Feb 2003
    Location
    North Hollywood, CA
    Posts
    2,554
    you might need the full path rather service x restart.

    try /etc/init.d/httpd restart
    Remote Hands and Your Local Tech for the Los Angeles area.

    (310) 573-8050 - LinkedIn

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •