To protect the channel from flooding in order to overflow its capacity, we recommend using the ddos deflate utility. This tool limits IP addresses by speed for a certain time, after which the IP addresses are removed from the list of restrictions and, if the intensity is exceeded, they are included in it again.

This scheme is very convenient and will protect the server from unnecessary blocking, since in our case we do not block IP addresses, but only reduce their throughput.

1. Installation

1.1 Install the necessary utilities

apt install dnsutils
apt-get install net-tools
apt-get install tcpdump
apt-get install dsniff -y
apt install grepcidr

1.2 Let's install ddos deflate ourselves

wget https://github.com/jgmdev/ddos-deflate/archive/master.zip -O ddos.zip
unzip ddos.zip
cd ddos-deflate-master
./install.sh

2. Setup

2.1 Let's add IP addresses to the white list

/etc/ddos/ignore.ip.list

89.111.xx.200
89.111.xx.201

2.2 Activate filtering of incoming traffic by speed

/etc/ddos/ddos.conf

BANDWIDTH_CONTROL=true
BANDWIDTH_CONTROL_LIMIT="1896kbit"
BANDWIDTH_DROP_RATE="512kbit"
BANDWIDTH_DROP_PERIOD=86400
BANDWIDTH_ONLY_INCOMING=true

This configuration means that if the speed exceeds 2 megabits of intensity, the IP address will be limited to a speed of 512 kilobits for 24 hours (86400 seconds)

2.3 Apply the settings

service ddos restart

Depending on the capacity of your channel and the intensity of flooding, the limits can be adjusted to suit your needs.