Simple DDoS Mitigation [<20 lines]

[Akshay*]

gud useful thing.

thanx

[GhostRaider]

Nice program I'm using it right now and it works fine but what does the round and banned stand for?

[Guerriero420]

This is a simple *nix DDoS mitigation script I wrote for my own server. It uses some AWK magic, with netstat, to show connections per IP on the server. If an IP has more connections then the set limit, a NullRoute will be added for the offending IP. It will then wait the specified time and repeat. This has proved to be effective with simple DDoS attacks.

CONLIMIT = Maximum connections from a single IP
SLEEP = Time in seconds to wait before repeating the cycle

Code:

#!/usr/bin/env python
import os, time
CONLIMIT = 20
SLEEP = 12
Round = 0
Banned = 0
while True:
Round += 1
for Line in os.popen("netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n", "r").read().split("\n"):
  List = Line.split(" ")
  try:
   if int(List[-2]) > CONLIMIT:
    os.system( "route add %s gw 127.0.0.1 lo" % ( List[ -1 ] ) )
    print "Banning %s...." % ( List[ -1 ] )
    Banned += 1
  except Exception:
    pass
print "Round: %s Bans: %s" % ( str(Round), str(Banned) )
time.sleep(SLEEP)

Don't know too much about python but, good going.

[Fallen]

Nice program I'm using it right now and it works fine but what does the round and banned stand for?

Just variables used inside the program, round is how many rotations the script has gone through and banned is how many offending IP's the script has banned

[GhostRaider]

Cool so I'm gussing it can dos sites also right?

[Fallen]

Cool so I'm gussing it can dos sites also right?

you mean attack sites?

[GhostRaider]

yes attack sites.

[Fallen]

yes attack sites.

no.

All this script does is just how many connections to the server a single IP has, and if the number of connections is above the limit, acts upon it.

[nevets04]

Simple, but effective. Good Job Fallen.

[wat]

Bump for great justice!