FernandoMarcelo.com

I really like DDos-Deflate and have it installed on almost all servers that i run. The issue, is that sometimes it bans your clients, even when they don’t have a high number of connections or are not doing something wrong.

So, i am going to show how i install and do a simple modification to avoid this problem.

1. Download and install:

wget http://www.inetbase.com/scripts/ddos/install.sh

chmod 0700 install.sh

/install.sh

2. Configuring

Change your settings by editing file /usr/local/ddos/ddos.conf. I usually only change my email and the number of connections.

Because of the changes that we are going to make on step 3, a good number of connections is between 40 and 50, and not 150.

3. Changing a few things

Now, edit file /usr/local/ddos/ddos.sh and find this line:

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

Change it to:

netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

And save the file.

4. Conclusion

The issue with ddos deflate banning your client’s IP is because it gets all connections on netstat and sometimes, if your client is accessing different services like web, mail and ftp server within a short period of time, it will ban his IP because of TIME_WAIT connections.

By applying the change that i mentioned, you are only checking for established connections.

From my experience, a user will rarely have more than 10 established connections to the server. So if an IP is getting more than 40 connections, he is probably doing something wrong

This entry was posted on Wednesday, November 18th, 2009 at 11:18 pm and is filed under Work. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.