крис браун
How to protect from DDOS on HTTP 20 Mbps inbound without hardware firewalls.
Sysctl:
kernel.shmall = 4294967296 vm.min_free_kbytes = 70000 net.core.somaxconn = 65536 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.ip_local_port_range = 2000 61000 net.ipv4.tcp_fin_timeout = 25 net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_window_scaling = 0 net.ipv4.tcp_timestamps = 0 net.core.rmem_max = 8388608 net.core.wmem_max = 16777216 net.ipv4.tcp_no_metrics_save = 0 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 87380 16777216 net.core.netdev_max_backlog = 65536 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.ip_conntrack_max = 300000
worker_rlimit_nofile 80000;
events {
worker_connections 65536;
use epoll;
}
http {
gzip off; # :!:
keepalive_timeout 0;
server_tokens off;
reset_timedout_connection on;
server {
listen x.x.x.x default deferred;
log_format IP $remote_addr;
location / {
proxy_pass http://127.0.0.1/;
….
access_log /var/log/nginx/ipban IP;
Apache: ServerLimit and MaxClients are set for use no more than 80% of memory. Use top for knew how much memory each process consumes.
Runs by the crone of each minute and will ban botnet:
#!/usr/bin/perl
system(’mv /var/log/nginx/ipban /var/log/nginx/ipban.proc’);
system(’touch /var/log/nginx/ipban’);
system(”/etc/init.d/nginx reload”);
open $f,’/var/log/nginx/ipban.proc’;
%h=();
while(<$f>) {
chomp;
if (/\d+\.\d+\.\d+\.\d+/) {
unless ($h{$_}) {
$h{$_}=1;
} else {
$h{$_}++;
}
}
}
close $f;
foreach $k (keys(%h)) {
if ($h{$k} > 20) {
system(”iptables -I INPUT -s $k -j DROP”);
print “$k banned\n”;
}
}
20 the number of calculations during the trial and error with regard to this server and location'u nginx. Once the script is ruthlessly baned 2K hosts, the server started to apply the external signs of life after 3k banned zombies start open main page.
More Serious DDOS course would be difficult to beat stupid software.
Update. As time went on, the table Bans grew ddosery not stop.
CSF:
This firewall can do many things. But almost all that she knows is useless. In temporary ban ip address.
In the configuration disabled almost everything, because it (all) interfered. I had from this soft only ban IP with TTL. Ie the time. And cron began allowing every 5 minutes.
Accordingly, the cron script changed:
if ($h{$k} > 20) {
system(”iptables -I INPUT -s $k -j DROP”);
Replace by code: <code> if ($h{$k} > 60) { system(”/usr/sbin/csf –tempdeny $k 28800″); </code<
It is the purpose of the attack - the page, made static. DDOS subsided, the site alive.