Login

Fallen · 10-05-2009, 02:26 PM

This is a simple *nix DDoS mitigation script I wrote for my own server. It uses some AWK magic, with netstat, to show connections per IP on the server. If an IP has more connections then the set limit, a NullRoute will be added for the offending IP. It will then wait the specified time and repeat. This has proved to be effective with simple DDoS attacks.

CONLIMIT = Maximum connections from a single IP
SLEEP = Time in seconds to wait before repeating the cycle

Code:
#!/usr/bin/env python

import os, time

CONLIMIT = 20

SLEEP = 12

Round = 0

Banned = 0

while True:

 Round += 1

 for Line in os.popen("netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n", "r").read().split("\n"):

  List = Line.split(" ")

  try:

   if int(List[-2]) > CONLIMIT:

    os.system( "route add %s gw 127.0.0.1 lo" % ( List[ -1 ] ) )

    print "Banning %s...." % ( List[ -1 ] )

    Banned += 1

  except Exception:

    pass

 print "Round: %s Bans: %s" % ( str(Round), str(Banned) )

 time.sleep(SLEEP)

Nyx- · 10-05-2009, 02:42 PM

wow awesome script ^__^

MyNameIs940 · (This post was last modified: 10-05-2009, 02:55 PM by MyNameIs940.)

How does it add it I don't understand python, does it use iptables or what? I found a script that uses iptables and looks just like this one, same netstat command. (netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n)

http://deflate.medialayer.com/

Elektrisk · 10-05-2009, 02:59 PM

Great script. This seemed to work well on your forums Smile

St0rmW1nd · 10-05-2009, 03:00 PM

Great script, code looks neat Smile

Fallen · 10-05-2009, 03:54 PM

(10-05-2009, 02:50 PM)MyNameIs940 Wrote: How does it add it I don't understand python, does it use iptables or what? I found a script that uses iptables and looks just like this one, same netstat command. (netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n)

http://deflate.medialayer.com/

yeah thats how it counts, using AWK

MyNameIs940 · 10-05-2009, 04:00 PM

(10-05-2009, 03:54 PM)Fallen Wrote: yeah thats how it counts, using AWK

Ah ok, but this still wastes your banwidth which sucks Sad

but atleast people can still have access to your site.

S0rath 0f the Black Sun · (This post was last modified: 10-08-2009, 05:07 AM by S0rath 0f the Black Sun.)

(10-05-2009, 04:00 PM)MyNameIs940 Wrote: Ah ok, but this still wastes your banwidth which sucks but atleast people can still have access to your site.

Better than having low level skids DDoSing your site with a basic ddos. At least it still allows access for the honest user.

Great script Fallen, and it's short, neat and easy to understand too. Big Grin

Dr.Viper · 10-08-2009, 07:46 AM

Awesome script dude.
Thnx.

Socrates · 10-08-2009, 03:03 PM

You always make good programs. Tongue

Login
Username:
Password:	Lost Password?
	Remember me